On 10/28/21 18:17, Justus Winter wrote:
Panu Matilainen writes:
https://tests.sequoia-pgp.org/rpmsop.html#Detached_Sign-Verify_roundtrip_with_key__Bob___MD5
- accepts MD5 signatures !!!
https://tests.sequoia-pgp.org/rpmsop.html#Signature_over_the_shattered_collision
- accepts SHA1
On Thu, Oct 28, 2021 at 05:17:33PM +0200, Justus Winter wrote:
> In my opinion, these signatures should be rejected by RPM. If working
> with nineties material is really a thing, the user should explicitly
> opt-into these unsafe algorithms.
Right. The way we usually do it in rpm is to make it