On 03/15/2014 03:53 PM, Juha Heljoranta wrote: > I am not able to get the gpg to verify a signature. > > Any advice how to fix this? > Or could the key 9C973C92 be invalid/broken? > > > $ mkdir -m 700 newgnupg > $ echo foo > zinc-0.2.0.jar > $ wget > http://repo1.maven.org/maven2/com/typesafe/zinc/zinc/0.2.0/zinc-0.2.0.jar.asc
This is a signature ostensibly made by a 2048-bit DSA key, made over an SHA-1 digest. DSA keys larger than 1024-bits should generally make signatures over stronger digests than SHA-1. See section 4.2 of FIPS-186-4 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf for similar guidance. Perhaps the folks who publish zinc need to --enable-dsa2, or to remove any mistaken "digest-algo sha1" from their signing routines? You could point them at this thread in the gnupg-users archives if you think it would be useful. That said gpg seems to still accept signatures made by even stronger RSA keys over SHA-1. And it even accepts (with a warning) signatures by stronger RSA keys over MD5, which is even weaker than SHA1. So gpg's behavior seems to be non-uniform here. That said, i'd love to be able to tell gpg to ignore or explicitly reject signatures made by strong keys with MD5 digests. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
