On Mon, 27 Mar 2023 13:16:45 +0200,
Zbigniew Jędrzejewski-Szmek wrote:
> I agree. The scope of the issue is fairly narrow, and the underlying
> issue is an invalid signature made by the anydesk maintainers.
> We also have a simple command that users can use to work around
> the issue.
If you are thinking of sq-keyring-linter, that won't help here. This
is not a SHA-1 issue.
The issue (I think) is that the anydesk maintains were too aggressive
in what they striped when they exported the OpenPGP certificate. They
probably ran: `gpg --export --export-options export-minimal
FINGERPRINT`. According to the gpg manual page, that does:
```
export-minimal
Export the smallest key possible. This removes all signatures
except the most recent self-signature on each user ID. This
option is the same as running the '--edit-key' command
"minimize" before export except that the local copy of the key
is not modified. Defaults to no.
```
This makes sense when sharing an OpenPGP certificate via email, say,
so that someone can (in the future) send you an encrypted message.
But it doesn't make sense when sending the certificate to someone who
should then verify past signatures, which is the case here.
Neal
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
