Hello Dimitri On Fri, 2023-12-01 at 00:20 +0000, Dimitri John Ledkov wrote: > This makes me wonder if signatures on uploaded or published .dsc have > any value at all.
Cryptographically speaking, 160-bit hash algorithms are vulnerable to collision attacks but not to preimage attacks. Even today, no one can create a fake package that matches an *existing* hash. However, you can create *two* new packages that result in the same hash. I checked a random sample from your list and they all appear to be ten years or older. As long as we have additional proof (e.g. signatures from the release team) that these signatures were actually created at the time of upload (when collision attacks were not yet feasible), they are still meaningful. For comparison: Note that issuing of new x.509 certificates with SHA-1 was deprecated a while ago, but old CA certificates with SHA-1 remained valid for the same reason. Regards Stephan
signature.asc
Description: This is a digitally signed message part