This is the mail archive of the
mailing list for the binutils project.
Re: Release Signing Keys are Susceptible to Attack
- From: Richard Biener <richard dot guenther at gmail dot com>
- To: R0b0t1 <r030t1 at gmail dot com>
- Cc: Binutils <binutils at sourceware dot org>, GCC Development <gcc at gcc dot gnu dot org>, gdb at sourceware dot org
- Date: Thu, 17 Aug 2017 10:39:31 +0200
- Subject: Re: Release Signing Keys are Susceptible to Attack
- Authentication-results: sourceware.org; auth=none
- References: <CAAD4mYjJ-8zt0o1PjFO3k1K9CVDBVVUkVp2VgtMZcjFqmBOKkw@mail.gmail.com>
On Thu, Aug 17, 2017 at 4:23 AM, R0b0t1 <email@example.com> wrote:
> After downloading and verifying the releases on
> ftp://ftp.gnu.org/gnu/, I found that the maintainers used 1024 bit DSA
> keys with SHA1 content digests. 1024 bit keys are considered to be
> susceptible to realistic attacks, and SHA1 has been considered broken
> for some time.
> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf, p17
> SHA1 is weak enough that a team of researchers was able to mount a
> realistic attack at no great cost.
It looks like gpg2 uses SHA1 as digest algorithm by default. I use
a 2048bit RSA for signing, that should be ok, no?
I suggest to report the issue to gnupg upstream (I'm using 2.0.24
with libgcrypt version 1.6.1). It looks like the OpenPGP standard
mandates SHA1 here and using --digest-algo is stronly advised
against for interoperability reasons.
> As compilers and their utilities are a high value target I would
> appreciate it if the maintainers move to more secure verification