Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> writes: > On Wed, Apr 5, 2017 at 3:04 PM, Tom G. Christensen <tgc@xxxxxxxxxxxxxxx> wrote: >> This adds an OLD_GNUPG define to the Makefile which when activated will >> ensure git does not use the --keyid-format argument when calling the >> 'gpg' program. >> This is consistent with how 'gpg' was used in git < 2.10.0 and slightly >> decreases security. > > This changes the code Linus Torvalds added in b624a3e67f to mitigate > the evil32 project generating keys which looked the same for 32 bit > signatures. > > I think this change makes sense, but the Makefile should have a > slightly scarier warning, something like: > > "Define OLD_GNUPG if you need support for gnupg <1.4. Note that this > will cause git to only show the first 32 bits of PGP keys instead of > 64, and there's a wide variety of brute-forced 32 bit keys in the wild > thanks to the evil32 project (https://evil32.com). Enabling this will > make GPG work old versions, but you might be fooled into accepting > malicious keys as a result". Very good point. It surprised me somewhat to see that this is the only change necessary (iow, there is no need to tweak anything in t/ directory). Perhaps we would need a test or two (and need to figure out a way to make them work with both old and more recent GnuPG)?