[Rpm-maint] [rpm-software-management/rpm] rpm should not use short gpg key ids in messages (Issue #2403)
Zbigniew Jędrzejewski-Szmek
notifications at github.com
Wed Mar 1 11:25:10 UTC 2023
Copied over from https://bugzilla.redhat.com/show_bug.cgi?id=2174373:
Description of problem:
(Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=2170878.)
Short gpg key ids are easy to spoof and generally should not be used [e.g. 1].
rpm prints them in various messages:
```
warning: google-chrome-stable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
```
There is really no point in trying to save a few bytes. Please print at least the "long" 16-digit hash. With the short id the user cannot even reliably look up the key online.
In other output, please print the full hash:
```console
$ rpm -qi util-linux | rg Signature
Signature : RSA/SHA256, Sat 21 Jan 2023 11:02:21 AM CET, Key ID 809a8d7ceb10b464
```
The full finger print is 6A51BBABBA3D5467B6171221809A8D7CEB10B464
and it is just easier to do verification if the full hash is known.
Version-Release number of selected component (if applicable):
rpm-4.18.0-10.fc38.x86_64
[1] https://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2403
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2403 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230301/1ec414c9/attachment.html>
More information about the Rpm-maint
mailing list