[Rpm-maint] [rpm-software-management/rpm] Give error message for failed PGP key import (PR #2097)

Neal H. Walfield notifications at github.com
Tue Jun 21 10:00:32 UTC 2022


I want SHA-1 to die, but this is a bit too much.

First, for v4 OpenPGP keys ([the current version](https://datatracker.ietf.org/doc/html/rfc4880)), [you have to use SHA1 to compute the Fingerprint and the Key ID](https://datatracker.ietf.org/doc/html/rfc4880#section-12.2).  There is no other way.  The Fingerprint and Key ID are used everywhere in the OpenPGP specification.  For instance, a signature includes an [Issuer field](https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.5), which contains the Key ID of the key that generated the signature.  If you can't compute the Key ID, then you can't designate (name) the certificate that generated the signature, but have to try all available signing-capable keys.  That's a performance disaster.  The good news is that the Key ID is self authenticating: if you verify the signature, then you know that the Key ID is correct.

Second, a hash algorithm provides several security properties.  The two most important are collision resistance and second pre-image resistance.  [SHA1's collision resistance has been broken](https://sha-mbles.github.io/), but its second pre-image resistance is fine.  A second pre-image attack is when an attacker finds a second text that has the same hash as a given text.  This type of attack is much harder, because it can't exploit the birthday paradox.  Collision resistance is only needed when the attacker can choose both messages.  Since an attacker doesn't control the key, self signatures don't need a hash with collision resistance (the attacker doesn't control the key material).  And since a fingerprint is basically the hash of a key, it also doesn't need a hash with collision resistance.

In short, yes, data signatures using SHA-1 should be rejected.  Yes, it would be nice to have self signatures that don't use SHA-1 since there are alternatives.  But, a v4 OpenPGP implementation must be able to compute the fingerprint.

Note: v5 keys will use SHA256.  The RFC draft is in working group last call.  But even if it is standardized today, it will take years before enough users adopt v5 keys so that we can start rejecting v4 keys.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2097#issuecomment-1161531538
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/2097/c1161531538 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220621/e3dde92b/attachment-0001.html>


More information about the Rpm-maint mailing list