[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(Guile-SDL) release signing key
From: |
Thiago Jung Bauermann |
Subject: |
(Guile-SDL) release signing key |
Date: |
Sun, 19 Jun 2022 20:54:59 -0300 |
Hello,
I'd just like to report an issue I had when trying to verify the signature
for version 0.6.1's release: I downloaded the key from Thien-Thi Nguyen's
Savannah user page¹ and while it worked, GnuPG warned me that the key is
expired:
$ gpg --verify guile-sdl-0.6.1.tar.lz.sig
gpg: assuming signed data in 'guile-sdl-0.6.1.tar.lz'
gpg: Signature made Sun Feb 20 21:16:09 2022 -03
gpg: using DSA key 748EA0E81CB8A7489BFA6CE4670322244C807502
gpg: Good signature from "Thien-Thi Nguyen (software signing)
<ttn@gnuvola.org>" [expired]
gpg: aka "Thien-Thi Nguyen <ttn@gnuvola.org>" [expired]
gpg: aka "Thien-Thi Nguyen <ttn@gnu.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 748E A0E8 1CB8 A748 9BFA 6CE4 6703 2224 4C80 7502
So I have a few suggestions:
1. Take the opportunity to move to a current algorithm and key length.
AFAIK 1024-bit DSA is considered weak nowadays. Or if this is undesired,
update the key with a new expiry date.
2. Update the key on the Savannah user page.
3. Mention on Guile-SDL website which public key is used to sign releases,
and how to obtain and verify it.
Thank you for providing this new release! It fixed a long-standing bug
reported on GNU Guix: “guile-sdl-0.5.2 fails to install on i686”².
--
Thanks
Thiago
¹ https://savannah.gnu.org/users/ttn
² https://issues.guix.gnu.org/22020
- (Guile-SDL) release signing key,
Thiago Jung Bauermann <=