Open cezmunsta opened 8 months ago
Huh.
I admit that I'm far from an expert in anything related to cryto, but I cannot find any references to SHA1 on Keybase's public PGP key. The only information I get is that the PGP key was generated using RSA (4096 bits) encryption, which sounds rather secure to me.
But maybe I don't really understand the complexity of the issue altogether.
What happens when you import Keybase's code-signing public key directly into the PGP keychain (i.e., not going through whatever internal processes RPM might be using)?
@GwynethLlewelyn this is for package management, signing the package with a weak hashing algorithm and thus forcing the user to weaken the default crypto policy (and thus system), or disable signature checking during installs is not a good look.
The use of SHA-1 is restricted in the DEFAULT crypto policy. Except for HMAC, SHA-1 is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC and Kerberos protocols.
At the least, this prevents use on RHEL 9.