search

mlj / castget

A simple, command-line based RSS enclosure downloader, primarily intended for automatic, unattended downloading of podcasts.
http://castget.johndal.com
GNU General Public License v2.0
103 stars 23 forks source link

PGP release signing key is expired #27

Open eli-schwartz opened 6 years ago

eli-schwartz commented 6 years ago

While working on https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ as part of Arch Linux packaging, I realized that castget provides PGP signed releases at https://download.savannah.gnu.org/releases/castget/

However, there are two major problems with the signatures. First, there is no record anywhere of what key is being used to sign those releases, so users cannot confirm that they have the right key. Ideally you'd list your PGP fingerprint on your website for castget itself, while continuing to use savannah.nongnu.org for release hosting. (You can also upload the key to Github, as well as use git to sign the git tags.) Second, the unverified key that was used, appears to have expired in 2015-07-01. There is no way we can use an invalid key to verify releases. The key needs to be renewed or replaced.

A third, unrelated issue, is that it is a dsa 1024-bit key, which is really quite weak. You should consider creating a new key using rsa2048 at a minimum, or preferably rsa4096 as there is really no downside to using the strongest current key type when creating a new key.

...

By the way, your link to the Arch Linux package for castget is broken. We dropped i686 support, and the correct way to link to the package regardless would be https://www.archlinux.org/packages/?name=castget (which does an exact-name search independent of the repository name or built architecture).

mlj commented 6 years ago

Thank you for taking the time to report this (with lots of helpful details). I'm afraid like many others I only learned the basics of PGP/GPG and therefore regularly fail to do what is required.

I hadn't uploaded my public key to any key server for some time, thus the expired key. This should be fixed now.

I've added key ID and fingerprint to the website. The key is already associated with my github profile; I'll start signing git tags from now on.

Link to the Arch Linux package fixed.

I'll create a new, stronger key before the current one expires. I'm leaving this issue open as a reminder.

Thanks again for reporting this!

eli-schwartz commented 6 years ago

Thanks!

FWIW you're nowhere near the only person that has a legacy dsa1024 key originally created back when dsa1024 was still a commonly used key strength, and didn't realize it would be good to transition over to a new key.

https://crypto.stackexchange.com/questions/9878/is-a-1024-bit-dsa-key-considered-safe https://news.ycombinator.com/item?id=9574984