Skip to content

Replace usage of SHA-1 for self-signatures in existing packager keys

The following packager keys use SHA-1 for at least some of their self-signatures:

  • 6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD @allan
  • ADC8A1FCC15E01D45310419E94657AB20F2A092B @andyrtr
  • 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25 @arojas
  • CFA6AF15E5C74149FC1D8C086D1655C14CE1C13E @bluewind
  • 02FD1C7A934E614545849F19A6234074498E9CEE @eworm
  • B5971F2C5C10A9A08C60030F786C63F330D7CB92 @felixonmars
  • 86CFFCA918CF3AF47147588051E8B148A9999C34 @foutrelis
  • C100346676634E80C940FB9E9C02FF419FECBE16 @foxboron
  • E499C79F53C96A54E572FEE1C06086337C50773E @jelle
  • 535F8C0339450F054A4D282706096A6AD1CEDDAC @lcarlier
  • 2E36D8620221482FC45CB7F2A91764759326B440 @lfleischer
  • 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC @pierre
  • 44EA62ACDBC81B6A0D1FD267206CBC892D1493D2 @remy
  • 903BAB73640EB6D65533EFF3468F122CE8162295 @sangy
  • B81B051F2D7FC867AAFF35A58DBD63B82072D77A @seblu
  • 8FC15A064950A99DD1BD14DD39E4B877E62EB915 @svenstaro
  • 5B7E3FB71B7F10329A1C03AB771DF6627EDF681F @tpowa

This is no longer considered to be secure and blocks Arch from upgrading to GnuPG 2.3.

Fortunately it is possible to fix this without creating a new key by running sq-keyring-linter from the sequoia-keyring-linter package on your key:

gpg --export-secret-keys <FINGERPRINT> | sq-keyring-linter --fix -p <SECRET_KEY_PASSWORD> | gpg --import

Once you have done that, you can verify that sq-keyring-linter no longer reports any issues (it should print "No issues found"):

gpg --export <FINGERPRINT> | sq-keyring-linter

Afterwards please open a merge request for the updated key in this repository as described in the Modify a Packager Key workflow. An example merge request for this is !104 (closed).

For completeness, this is the full output of sq-keyring-linter for the problematic keys: 
Certificate F99FFE0FEAE999BD is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate F99FFE0FEAE999BD contains a User ID ("Allan McRae (Developer) <allan@archlinux.org>") protected by SHA-1
Certificate F99FFE0FEAE999BD contains a User ID ("Allan McRae <me@allanmcrae.com>") protected by SHA-1
Certificate F99FFE0FEAE999BD, key F0723BDE753CCF8D uses a SHA-1-protected binding signature.
Certificate 94657AB20F2A092B contains a User ID ("Andreas Radke <andyrtr@archlinux.org>") protected by SHA-1
Certificate 94657AB20F2A092B, key 73FBCC8753AF8961 uses a SHA-1-protected binding signature.
Certificate 4AC5588F941C2A25 is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate 4AC5588F941C2A25 contains a User ID ("Antonio Rojas <arojas@archlinux.org>") protected by SHA-1
Certificate 4AC5588F941C2A25 contains a User ID ("Antonio Rojas <arojas@us.es>") protected by SHA-1
Certificate 4AC5588F941C2A25 contains a User ID ("Antonio Rojas <nqn1976@gmail.com>") protected by SHA-1
Certificate 4AC5588F941C2A25 contains a User ID ("Antonio Rojas <nqn76sw@gmail.com>") protected by SHA-1
Certificate 4AC5588F941C2A25, key 7A4E76095D8A52E4 uses a SHA-1-protected binding signature.
Certificate 4AC5588F941C2A25, key 8A209A614C6E5289 uses a SHA-1-protected binding signature.
Certificate 6D1655C14CE1C13E contains a User ID ("Florian Pritz <bluewind@jabber.ccc.de>") protected by SHA-1
Certificate 6D1655C14CE1C13E contains a User ID ("Florian Pritz <bluewind@xinu.at>") protected by SHA-1
Certificate 6D1655C14CE1C13E contains a User ID ("Florian Pritz <flo@xinu.at>") protected by SHA-1
Certificate 6D1655C14CE1C13E, key 89B75E070965A73B uses a SHA-1-protected binding signature.
Certificate A6234074498E9CEE contains a User ID ("Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>") protected by SHA-1
Certificate A6234074498E9CEE, key 51F0013467F1E8BF uses a SHA-1-protected binding signature.
Certificate 51E8B148A9999C34 is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate 51E8B148A9999C34 contains a User ID ("Evangelos Foutras <evangelos@foutrelis.com>") protected by SHA-1
Certificate 51E8B148A9999C34 contains a User ID ("Evangelos Foutras <foutrelis@archlinux.org>") protected by SHA-1
Certificate 51E8B148A9999C34 contains a User ID ("Evangelos Foutras <foutrelis@gmail.com>") protected by SHA-1
Certificate 51E8B148A9999C34, key 7148569F07EEC3DD uses a SHA-1-protected binding signature.
Certificate 9C02FF419FECBE16 contains a User ID ("Morten Linderud <mcfoxax@gmail.com>") protected by SHA-1
Certificate 9C02FF419FECBE16 contains a User ID ("Morten Linderud <morten@linderud.pw>") protected by SHA-1
Certificate 9C02FF419FECBE16, key DF2502D0C726D1C0 uses a SHA-1-protected binding signature.
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <felixonmars@archlinux.org>") protected by SHA-1
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <felixonmars@archlinuxcn.org>") protected by SHA-1
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <felixonmars@gmail.com>") protected by SHA-1
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <felixonmars@nyaa.cat>") protected by SHA-1
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <felixyan@bbtechgroup.com>") protected by SHA-1
Certificate 786C63F330D7CB92 contains a User ID ("Felix Yan <i@felixc.at>") protected by SHA-1
Certificate 786C63F330D7CB92, key 730B9E9C6D64631D uses a SHA-1-protected binding signature.
Certificate C06086337C50773E is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate C06086337C50773E contains a User ID ("Jelle van der Waa <jelle@archlinux.org>") protected by SHA-1
Certificate C06086337C50773E contains a User ID ("Jelle van der Waa <jelle@vdwaa.nl>") protected by SHA-1
Certificate C06086337C50773E, key 7252BA6DA83E99A3 uses a SHA-1-protected binding signature.
Certificate 06096A6AD1CEDDAC, key F816925BB5E4ADE8 uses a SHA-1-protected binding signature.
Certificate A91764759326B440, key 4951F605EC9A8E15 uses a SHA-1-protected binding signature.
Certificate 7F2D434B9741E8AC, key E9B9D36A54211796 uses a SHA-1-protected binding signature.
Certificate 206CBC892D1493D2 is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate 206CBC892D1493D2 contains a User ID ("Rémy Oudompheng <oudomphe@phare.normalesup.org>") protected by SHA-1
Certificate 206CBC892D1493D2 contains a User ID ("Rémy Oudompheng <remy@archlinux.org>") protected by SHA-1
Certificate 206CBC892D1493D2, key 85829D752DCC038A uses a SHA-1-protected binding signature.
Certificate 468F122CE8162295, key B7D95B86F90CC0EB uses a SHA-1-protected binding signature.
Certificate 8DBD63B82072D77A contains a User ID ("Sébastien Luttringer <sebastien.luttringer@epita.net>") protected by SHA-1
Certificate 8DBD63B82072D77A contains a User ID ("Sébastien Luttringer <sebastien.luttringer@gmail.com>") protected by SHA-1
Certificate 8DBD63B82072D77A contains a User ID ("Sébastien Luttringer <sebastien@luttringer.net>") protected by SHA-1
Certificate 8DBD63B82072D77A contains a User ID ("Sébastien Luttringer <seblu@seblu.net>") protected by SHA-1
Certificate 8DBD63B82072D77A, key 38DCEEBE387A1EEE uses a SHA-1-protected binding signature.
Certificate 8DBD63B82072D77A, key FB49476446A47177 uses a SHA-1-protected binding signature.
Certificate 39E4B877E62EB915 contains a User ID ("Sven-Hendrik Haase <sh@lutzhaase.com>") protected by SHA-1
Certificate 39E4B877E62EB915, key 208774A5EAAA28E7 uses a SHA-1-protected binding signature.
Certificate 771DF6627EDF681F is not valid under the standard policy: No binding signature at time 2022-07-09T10:34:26Z
Certificate 771DF6627EDF681F contains a User ID ("Tobias Powalowski <tobias.powalowski@googlemail.com>") protected by SHA-1
Certificate 771DF6627EDF681F contains a User ID ("Tobias Powalowski <tpowa@archlinux.org>") protected by SHA-1
Certificate 771DF6627EDF681F, key 68F8B4F65BF91F41 uses a SHA-1-protected binding signature.
Examined 17 certificates.
  0 certificates are invalid and were not linted. (GOOD)
  17 certificates were linted.
  17 of the 17 certificates (100%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
17 of the non-revoked linted certificates have at least one non-revoked User ID:
  13 have at least one User ID protected by SHA-1. (BAD)
  6 have all User IDs protected by SHA-1. (BAD)
17 of the non-revoked linted certificates have at least one non-revoked, live subkey:
  17 have at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
3 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
  0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Edited by Levente Polyak
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information