patchman icon indicating copy to clipboard operation
patchman copied to clipboard
verified publisher icon furlongm

Update repository GPG key algorithm

Open ziller-hqs opened this issue 2 months ago • 1 comments

Currently, the key used to sign the repository is still using SHA1 as algorithm. This algorithm has been declared obsolete/insecure for quite some time now.

Although the documentation on installation on RedHat/Rocky/CentOS clearly states that the OS needs to be modified to accept SHA1-based encryption, I would prefer to not modify such a high security setting of the OS.

Please sign the repository and the packages using a newer GPG key that uses an up-to-date algorithm.

I have seen a comment in another ticket that version 4.x is around the corner, this might be a good time to include this change as well?

ziller-hqs avatar Oct 28 '25 08:10 ziller-hqs

I am testing a new key at the moment. The new key is with the old key at https://repo.openbytes.ie/openbytes-1.gpg

For patchman 4.x packages/repos, I will use this key for signing.

furlongm avatar Oct 28 '25 14:10 furlongm