[R-sig-Debian] Please update GPG signature to long format.
Johannes Ranke
jranke at uni-bremen.de
Sun Sep 4 19:18:03 CEST 2016
Hello Charles,
thanks for the hint - I changed the instructions for the Debian section to use
the key fingerprint. The change should propagate to CRAN
https://cran.r-project.org/bin/linux/debian
and its mirrors soon.
Best regards,
Johannes
Am Sonntag, 4. September 2016, 10:03:16 schrieb Charles Plessy:
> Hi Michael and Dirk,
>
> there are raising concerns that, as of today's computing power, an attacker
> can generate a GPG key that has the same short ID as a target key. In this
> situation, it may be possible that a user downloads and trusts the
> attacker's GPG key, and as a consequence installs malware.
>
> For that reason (better explained in http://lwn.net/Articles/697417/), it is
> recommended to use long IDs or even full fingerprints. I am therefore
> suggesting to update the instructions at
> <https://cran.rstudio.com/bin/linux/ubuntu/>.
>
> s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/
>
> (Note that I tested only in Debian Stable, which is one year older as
> Trusty, so it might be good to doublecheck on a Trusty system that it works
> as expected.)
>
> Have a nice day,
>
> Charles
More information about the R-SIG-Debian
mailing list