Linus Torvalds <torva...@linux-foundation.org> writes:
> From: Linus Torvalds <torva...@linux-foundation.org>
> Date: Tue, 16 Aug 2016 13:10:24 -0700
> Subject: [PATCH] Prefer "long" key format output when verifying pgp signatures
> Yes, gpg2 already uses the long format by default, but most
> distributions seem to still have "gpg" be the older 1.x version due to
> compatibility reasons. And older versions of gpg only show the 32-bit
> short ID, which is quite insecure.
> But the 32-bit key ID's really are broken. Also note that because of the
> differences between gpg-1.x and gpg-2.x, hopefully any scripted key ID
> parsing code (if such code exists) is already flexible enough to not care.
> This was triggered by the fact that the "evil32" project keys ended up
> leaking to the public key servers, so now there are 32-bit aliases for
> just about every open source developer that you can easily get by
> mistake if you use the 32-bit short ID format.
> Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
> That's a very long commit message for a very trivial patch.
> I'm not particularly happy with the 64-bit long format either, but it's
> better than what we have now, and appears to be as good as it gets.
Thanks. Will queue.
> gpg-interface.c | 1 +
> 1 file changed, 1 insertion(+)
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 08356f92e7b3..8672edaf4823 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -217,6 +217,7 @@ int verify_signed_buffer(const char *payload, size_t
> + "--keyid-format=long",
> "--verify", temp.filename.buf, "-",
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html