[R-sig-Debian] Please update GPG signature to long format.

Johannes Ranke jranke at uni-bremen.de
Sun Sep 4 19:18:03 CEST 2016


Hello Charles,

thanks for the hint - I changed the instructions for the Debian section to use 
the key fingerprint. The change should propagate to CRAN 

https://cran.r-project.org/bin/linux/debian

and its mirrors soon.

Best regards,

Johannes
Am Sonntag, 4. September 2016, 10:03:16 schrieb Charles Plessy:
> Hi Michael and Dirk,
> 
> there are raising concerns that, as of today's computing power, an attacker
> can generate a GPG key that has the same short ID as a target key.  In this
> situation, it may be possible that a user downloads and trusts the
> attacker's GPG key, and as a consequence installs malware.
> 
> For that reason (better explained in http://lwn.net/Articles/697417/), it is
> recommended to use long IDs or even full fingerprints.  I am therefore
> suggesting to update the instructions at
> <https://cran.rstudio.com/bin/linux/ubuntu/>.
> 
> s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/
> 
> (Note that I tested only in Debian Stable, which is one year older as
> Trusty, so it might be good to doublecheck on a Trusty system that it works
> as expected.)
> 
> Have a nice day,
> 
> Charles



More information about the R-SIG-Debian mailing list