Re: Removal of < 2048 bit keys from the Debian keyrings complete
On Thu, Jan 01, 2015 at 07:10:39PM +0000, Jonathan McDowell wrote:
> Happy New Year! The previously announced removal of OpenPGP keys
> shorter than 2048 bits from the Debian keyrings has now been completed.
hopenpgp-tools 0.13-1, jq 1.4-2.1, attached script
(debian-keyring.gpg)
Total primary keys: 719
Key versions:
719 4
Primary key pubkey algorithms:
1 "DSA"
718 "RSA"
Primary key pubkey sizes:
32 2048
5 3072
1 3744
677 4096
3 8192
1 10240
Judgment on preferred hash algorithms of "best" uid/uat:
703 null
16 "weak hash with higher preference"
Judgment on expiration times of "best" uid/uat:
2 "expiration passed"
30 "expiration too far in future"
572 "no expiration set"
115 null
Total number of UIDs + UAts: 2534
Hash algorithm used for most recent self-sig:
3 "RIPEMD160"
578 "SHA1"
1662 "SHA256"
291 "SHA512"
Judgment on preferred hash algorithms:
1956 null
578 "weak hash algorithm"
Judgment on expiration times:
16 "expiration passed"
99 "expiration too far in future"
1998 "no expiration set"
421 null
==========================================
(debian-maintainers.gpg)
Total primary keys: 201
Key versions:
201 4
Primary key pubkey algorithms:
1 "DSA"
200 "RSA"
Primary key pubkey sizes:
18 2048
3 3072
1 3104
177 4096
2 8192
Judgment on preferred hash algorithms of "best" uid/uat:
199 null
1 "weak hash with higher preference"
Judgment on expiration times of "best" uid/uat:
2 "expiration passed"
7 "expiration too far in future"
144 "no expiration set"
47 null
Total number of UIDs + UAts: 590
Hash algorithm used for most recent self-sig:
177 "SHA1"
300 "SHA256"
3 "SHA384"
110 "SHA512"
Judgment on preferred hash algorithms:
413 null
177 "weak hash algorithm"
Judgment on expiration times:
3 "expiration passed"
19 "expiration too far in future"
439 "no expiration set"
129 null
==========================================
(debian-nonupload.gpg)
Total primary keys: 11
Key versions:
11 4
Primary key pubkey algorithms:
11 "RSA"
Primary key pubkey sizes:
1 2048
10 4096
Judgment on preferred hash algorithms of "best" uid/uat:
11 null
Judgment on expiration times of "best" uid/uat:
7 "no expiration set"
4 null
Total number of UIDs + UAts: 33
Hash algorithm used for most recent self-sig:
12 "SHA1"
19 "SHA256"
2 "SHA512"
Judgment on preferred hash algorithms:
21 null
12 "weak hash algorithm"
Judgment on expiration times:
18 "no expiration set"
15 null
==========================================
#!/bin/zsh
infile=${1:-/usr/share/keyrings/debian-keyring.gpg}
tempfile=$(mktemp)
trap 'rm ${tempfile}' EXIT
hokey lint --output-format JSON <${infile} >${tempfile}
print -n "Total primary keys: "
wc -l <${tempfile} # jq '.keyFingerprint' ${tempfile} | wc -l
print "Key versions: "
jq '.keyVer.val' ${tempfile} | sort | uniq -c
print "Primary key pubkey algorithms: "
jq '.keyAlgorithmAndSize.pubkeyalgo.val' ${tempfile} | sort | uniq -c
print "Primary key pubkey sizes: "
jq '.keyAlgorithmAndSize.pubkeysize.val' ${tempfile} | sort -n | uniq -c
print "Judgment on preferred hash algorithms of \"best\" uid/uat: "
jq '.keyBestOf.uidPreferredHashAlgorithms | .[].explanation' ${tempfile} | sort | uniq -c
print "Judgment on expiration times of \"best\" uid/uat: "
jq '.keyBestOf.uidKeyExpirationTimes | .[].explanation' ${tempfile} | sort | uniq -c
print -n "Total number of UIDs + UAts: "
jq '.keyUIDsAndUAts | keys | .[]' ${tempfile} | wc -l
print "Hash algorithm used for most recent self-sig: "
jq '.keyUIDsAndUAts | .[].val.uidSelfSigHashAlgorithms | .[].val' ${tempfile} | sort | uniq -c
print "Judgment on preferred hash algorithms: "
jq '.keyUIDsAndUAts | .[].val.uidSelfSigHashAlgorithms | .[].explanation' ${tempfile} | sort | uniq -c
print "Judgment on expiration times: "
jq '.keyUIDsAndUAts | .[].val.uidKeyExpirationTimes | .[].explanation' ${tempfile} | sort | uniq -c
print "=========================================="
Reply to: