Hi Dominik,
> On 9. Jan 2026, at 15:05, Dominik 'Rathann' Mierzejewski
> <[email protected]> wrote:
>
> Please don't and transfer it to me instead. I'm still using it to
> validate the PGP-2 signatures on tin package tarballs:
> https://src.fedoraproject.org/rpms/tin/blob/rawhide/f/tin.spec#_40
> GnuPG 2.x doesn't support these. Neither does Sequoia as far as I can
> tell.
You might as well stop validating this signature. It uses MD-5:
:) cllang@gallumbits:/tmp$ sq packet dump tin-2.6.5.tar.xz.sign
Signature Packet, old CTB, 149 bytes
Version: 3
Type: Binary
Pk algo: RSA
Hash algo: MD5
Hashed area:
Signature creation time: 2025-12-23 23:21:25 UTC (critical)
Unhashed area:
Issuer: 5A49550EB490B4D1
Digest prefix: 55B2
Level: 0 (signature over data)
MD-5 is very broken. The public key also seems to use a MD-5 signature over its
user IDs and probably its subkeys as well.
I suggest you get in touch with upstream and ask whether they can modernize
their key.
--
Clemens Lang
RHEL Crypto Team
Red Hat
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
