Hello, On 14/09/14 16:06, Wietse Venema wrote: > Thanks for checking the signature. MD5 is good enough for Postfix > tarballs, since there are no known second pre-image attacks. It has > the significant benefit that it is supported by every existing PGP > implementation.
The crypto is understood. You may however be interested to know that gpg since 2.0.23 rejects MD5 signatures by default. From http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=NEWS;h=88c667be68a59f3eb8c373ebd6bf8f023a2d314e;hb=refs/heads/STABLE-BRANCH-2-0#l54 > * gpg: Reject signatures made using the MD5 hash algorithm unless the > new option --allow-weak-digest-algos or --pgp2 are given. > What does this have to do with openSUSE source-code tarballs? Our package build system checks your signatures against your tarballs, the verification fails due to the MD5 signature, obviously also because none of the above compatibility options are used on our side. If at all possible I would appreciate a more modern digest algorithm to be used as far as it works with the compatibility concerns you mentioned. Thanks, Andreas
