TorChat
TorChat copied to clipboard
PGP Sign downloads
Hi,
I noticed on your old issue tracker https://code.google.com/p/torchat/issues/detail?id=110 there was a request to pgp sign downloads.
Given the nature of this software and the incentive an adversary might have in distributing tampered copies.
If you do decide to sign these downloads using the below key is not recommended:
pub 1024D/3945A21D 2007-10-04 [expires: 2012-12-21] uid Bernd Kreuss [email protected] uid Bernd Kreuss [email protected] uid Bernd Kreuss [email protected] uid [jpeg image of size 8534] sub 4096g/68BE2E6D 2007-10-04 [expires: 2012-12-21]
As I believe there's a weakness with 1024 bit DSA keys. http://keyring.debian.org/creating-key.html and http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
At the time of opening this bug 1024bit DSA keys are no longer the default in GPG (despite what the above link says). Perhaps you'd like to update to a shiny 4096bit RSA/RSA key.
Why not?
That would be good.