Bug#900236: tlmgr manpage: 32-bit OpenPGP key IDs
Package: texlive-base
Version: 2018.20180505-1
The tlmgr(1) manual page reads:
The signature is created by the TeX Live Distribution GPG key
0x06BAB6BC, which in turn is signed by Karl Berry’s key 0x30D155AD and
Norbert Preining’s key 0x6CACA448.
Please don't use 32-bit OpenPGP key IDs. It's computationally trivial to
generate a new key with chosen short ID. Please use 64-bit key IDs, or,
even better, full fingerprints.
In fact, if you request the 0x30D155AD key from a keyserver, you will
get _two_ keys; one of them is presumable a sham key originating from
<https://evil32.com/>.
OTOH, there's no 0x6CACA448 key on keyservers. An attacker could upload
their own key with such ID without rising much suspicion.
--
Jakub Wilk
Reply to: