SHA1 algo used in canaries PGP signing
Closed, ResolvedPublic
Actions

Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Mocks
Mute Notifications
Award Token

Description

SHA1 algorithm is 'practically broken', see recent news https://shattered.io/
which under "What types of systems are affected?" say "Any application that relies on SHA-1 for digital signatures" and mention "Email PGP/GPG signatures"

The purism canaries are signed using SHA1 algo in:
https://puri.sm/warrant-canary/
https://github.com/purism/warrant-canary/tree/master/canaries

"—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1"

fix:

use SHA256 as signing algorithm for future canaries.

Event Timeline

e3amn2l created this task.Jun 18 2017, 05:56

e3amn2l created this object with edit policy "e3amn2l".

Thank you for alerting me. SHA512 is what is current for canaries.

https://github.com/purism/warrant-canary/blob/master/canaries/purism-warrant-canary-20180101.txt.sig.todd

SHA1 algo used in canaries PGP signingClosed, ResolvedPublicActions

Description

Event Timeline

SHA1 algo used in canaries PGP signing
Closed, ResolvedPublic
Actions