Hi, one of the debian packagers of apr/httpd has noticed that current gpg refuses to work with some of the old keys in apr's KEYS file because they use MD5:
================================== $ mkdir ring $ chmod 700 ring $ wget https://www.apache.org/dist/apr/KEYS $ gpg2 --homedir ring --import KEYS gpg: keyring `ring/secring.gpg' created gpg: keyring `ring/pubring.gpg' created gpg: ring/trustdb.gpg: trustdb created gpg: key E005C9CB: public key "Greg Stein <[email protected]>" imported gpg: key 13046155: public key "Thom May <[email protected]>" imported gpg: key E2226795: public key "Justin R. Erenkrantz <[email protected]>" imported gpg: key DE885DD3: public key "Sander Striker <[email protected]>" imported gpg: Note: signatures using the MD5 algorithm are rejected gpg: key 10FDE075: no valid user IDs gpg: this may be caused by a missing self-signature gpg: key B55D9977: public key "William A. Rowe, Jr. <[email protected]>" imported gpg: key CC8B0F7E: public key "Aaron Bannert <[email protected]>" imported gpg: key 5C1C3AD7: public key "David Reid <[email protected]>" imported gpg: key 42721F00: public key "Paul Querna <[email protected]>" imported gpg: key 9BCFCE2F: public key "Garrett Rooney <[email protected]>" imported gpg: key 159BB6F8: public key "Bradley Nicholes <[email protected]>" imported gpg: key 4DAA1988: public key "Bojan Smojver <[email protected]>" imported gpg: key 08C975E5: public key "Jim Jagielski <[email protected]>" imported gpg: key 751D7F27: public key "Graham Leggett <[email protected]>" imported gpg: key 39FF092C: public key "Jeff Trawick (CODE SIGNING KEY) <[email protected]>" imported gpg: key 41CEFDE0: public key "Stefan Fritsch <[email protected]>" imported $ gpg2 --homedir ring --list-keys ring/pubring.gpg ---------------- pub 1024D/E005C9CB 2002-08-15 uid [ unknown] Greg Stein <[email protected]> uid [ unknown] Greg Stein <[email protected]> uid [ unknown] Greg Stein <[email protected]> pub 1024D/13046155 2000-10-08 uid [ unknown] Thom May <[email protected]> uid [ unknown] Thom May <[email protected]> uid [ unknown] Thom May <[email protected]> uid [ unknown] Thom May <[email protected]> sub 1024g/C0B77EEF 2000-10-08 pub 1024D/E2226795 1999-09-19 uid [ unknown] Justin R. Erenkrantz <[email protected]> uid [ unknown] Justin R. Erenkrantz <[email protected]> sub 2048g/8B626683 1999-09-19 pub 1024D/DE885DD3 2002-04-10 uid [ unknown] Sander Striker <[email protected]> uid [ unknown] Sander Striker <[email protected]> sub 2048g/532D14CA 2002-04-10 pub 4096R/B55D9977 2008-04-09 [expires: 2018-07-07] uid [ unknown] William A. Rowe, Jr. <[email protected]> uid [ unknown] William A. Rowe, Jr. <[email protected]> uid [ unknown] William A. Rowe, Jr. <[email protected]> pub 1024D/CC8B0F7E 2001-10-02 uid [ unknown] Aaron Bannert <[email protected]> uid [ unknown] Aaron Bannert <[email protected]> uid [ unknown] Aaron Bannert <[email protected]> uid [ unknown] Aaron Bannert <[email protected]> sub 2048g/87DB90E0 2001-10-02 pub 1024D/5C1C3AD7 2002-11-17 uid [ unknown] David Reid <[email protected]> sub 2048g/4CD63851 2002-11-17 pub 1024D/42721F00 2004-01-17 uid [ unknown] Paul Querna <[email protected]> uid [ unknown] Paul Querna <[email protected]> uid [ unknown] Paul Querna <[email protected]> uid [ unknown] Paul Querna <[email protected]> sub 2048g/7A2BE310 2004-01-17 pub 1024D/9BCFCE2F 2005-11-22 uid [ unknown] Garrett Rooney <[email protected]> uid [ unknown] Garrett Rooney <[email protected]> sub 2048g/87DDD6FE 2005-11-22 pub 1024D/159BB6F8 2005-12-07 uid [ unknown] Bradley Nicholes <[email protected]> sub 2048g/431E3F11 2005-12-07 pub 2048R/4DAA1988 2008-08-20 uid [ unknown] Bojan Smojver <[email protected]> sub 2048R/9E49284A 2008-08-20 [expires: 2018-08-18] sub 2048R/CAA19524 2008-08-20 [expires: 2018-08-18] pub 1024D/08C975E5 1999-04-14 uid [ unknown] Jim Jagielski <[email protected]> uid [ unknown] Jim Jagielski <[email protected]> uid [ unknown] Jim Jagielski <[email protected]> uid [ unknown] Jim Jagielski <[email protected]> uid [ unknown] Jim Jagielski <[email protected]> sub 2048g/4CCDB430 1999-04-14 pub 1024D/751D7F27 1999-08-19 uid [ unknown] Graham Leggett <[email protected]> uid [ unknown] Graham Leggett <[email protected]> sub 2048g/18F4AD9E 1999-08-19 pub 4096R/39FF092C 2010-01-19 uid [ unknown] Jeff Trawick (CODE SIGNING KEY) <[email protected]> sub 4096R/E4799D69 2010-01-19 pub 4096R/41CEFDE0 2009-07-10 uid [ unknown] Stefan Fritsch <[email protected]> uid [ unknown] Stefan Fritsch <[email protected]> uid [ unknown] Stefan Fritsch <[email protected]> sub 4096R/1AE300C2 2009-07-10 ================================== Can we clean that file up a bit and remove all people who have been in-active for quite some time? Ideally, we would remove all keys with less than 2048 bits, but that may not be possible, yet. I propose to only keep these keys: pub 4096R/B55D9977 2008-04-09 [expires: 2018-07-07] uid [ unknown] William A. Rowe, Jr. <[email protected]> pub 2048R/4DAA1988 2008-08-20 uid [ unknown] Bojan Smojver <[email protected]> pub 1024D/751D7F27 1999-08-19 uid [ unknown] Graham Leggett <[email protected]> pub 4096R/39FF092C 2010-01-19 uid [ unknown] Jeff Trawick (CODE SIGNING KEY) <[email protected]> pub 4096R/41CEFDE0 2009-07-10 uid [ unknown] Stefan Fritsch <[email protected]> and add Jim's newer key (791485A8) that is not in the KEYS file, yet. Of course, all other people would be free to re-add their keys (or preferably a newer, stronger one) when they do a release. OK to go ahead? Comments? Graham, do you have a newer, stronger key as well? There are similar problems with httpd's KEYS file, but I will deal with that later. Cheers, Stefan
