SHA1 algo used in canaries PGP signing
Closed, ResolvedPublic

Description

SHA1 algorithm is 'practically broken', see recent news https://shattered.io/
which under "What types of systems are affected?" say "Any application that relies on SHA-1 for digital signatures" and mention "Email PGP/GPG signatures"

The purism canaries are signed using SHA1 algo in:
https://puri.sm/warrant-canary/
https://github.com/purism/warrant-canary/tree/master/canaries

"—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1"

fix:

use SHA256 as signing algorithm for future canaries.

e3amn2l created this task.Jun 18 2017, 12:56 PM
e3amn2l created this object with edit policy "e3amn2l".
todd closed this task as "Resolved".Jan 6 2018, 8:38 PM

Add Comment