Bug#983069: lintian: please check that upstream signature is made with a modern hash (warn or error on MD5, SHA1, or RIPEMD160)
Hi dkg,
On Thu, Feb 18, 2021 at 2:57 PM Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
>
> uses a weak cryptographic digest algorithm.
That's a great idea! As a first step, I would like to show a
classification tag with the hash algorithm. (It could be used for
statistics.) Can 'gpgv' output such signature characteristics?
The warning you asked for would then take place on top of that—perhaps
with different severities depending how dated the algorithm is.
Thanks!
Kind regards,
Felix Lechner
Reply to: