keybase-issues icon indicating copy to clipboard operation
keybase-issues copied to clipboard
verified publisher icon keybase

Code signing key uses an insecure hash algorithm

Open cezmunsta opened this issue 2 years ago • 4 comments 

$ sudo rpm --import https://keybase.io/docs/server_security/code_signing_key.asc
warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://keybase.io/docs/server_security/code_signing_key.asc: key 1 import failed.

At the least, this prevents use on RHEL 9.

cezmunsta avatar Oct 18 '23 11:10 cezmunsta

Huh.

I admit that I'm far from an expert in anything related to cryto, but I cannot find any references to SHA1 on Keybase's public PGP key. The only information I get is that the PGP key was generated using RSA (4096 bits) encryption, which sounds rather secure to me.

But maybe I don't really understand the complexity of the issue altogether.

What happens when you import Keybase's code-signing public key directly into the PGP keychain (i.e., not going through whatever internal processes RPM might be using)?

GwynethLlewelyn avatar Nov 18 '23 00:11 GwynethLlewelyn

@GwynethLlewelyn this is for package management, signing the package with a weak hashing algorithm and thus forcing the user to weaken the default crypto policy (and thus system), or disable signature checking during installs is not a good look.

The use of SHA-1 is restricted in the DEFAULT crypto policy. Except for HMAC, SHA-1 is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC and Kerberos protocols.

cezmunsta avatar Nov 18 '23 14:11 cezmunsta