-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
32bit key id is a poor idea... use full fingerprint instead #3214
Comments
ok I get it's bad to use 32bit key, how do I fix it, the mentioned link does not seem to show a fix only describes the problem (sorry if I missed it, a bit tired) |
|
ah so the |
The patch mentioned on that page has to do with a MITM attack not 32bit key ids. People using old version of GPG might be vulnerable to the MITM if there network is compromised but I don't think its worth mentioning. The 32bit collision issue is a separate issue that can not be "patched". I can easily upload a key with the same 32bit fingerprint and users would receive both into their local key ring. The command above should run in all versions of GPG. Keyservers are required to allow full fingerprint searches. From the spec http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.1.1.1
|
https://rvm.io/rvm/install contains the line
gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
You should use your full fingerprint instead. See https://evil32.com/ for more info.The text was updated successfully, but these errors were encountered: