Andreas Stieger:
> Hello,
>
> On 14/09/14 16:06, Wietse Venema wrote:
> > Thanks for checking the signature. MD5 is good enough for Postfix
> > tarballs, since there are no known second pre-image attacks. It has
> > the significant benefit that it is supported by every existing PGP
> > implementation.
>
> The crypto is understood. You may however be interested to know that gpg
> since 2.0.23 rejects MD5 signatures by default. From
Thereby hindering the validation of past documents.
> > What does this have to do with openSUSE source-code tarballs?
>
> Our package build system checks your signatures against your tarballs,
> the verification fails due to the MD5 signature, obviously also because
> none of the above compatibility options are used on our side.
I see. You could of course turn on those options. I have no plans
to re-sign already-released tarballs.
> If at all possible I would appreciate a more modern digest algorithm to
> be used as far as it works with the compatibility concerns you mentioned.
I can update the packaging script to issue multiple PGP signatures.
What suffix do you suggest for sha512-based PGP signatures? I have
no plans to stop issuing the traditional MD5-based .sig files.
Wietse
