commit f0709edfcdbb1d24855c66736d2f9a7f8aaf6631 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sun Jul 21 14:26:13 2024 -0700 refresh upstream signing keys This refreshes the upstream signing keys to their current preferred forms, without changing any of the specific primary keys. The substantive updates are: - packets all use "new" OpenPGP format (introduced 20 years ago) - revoking old hushmail User ID for Nikos - updating the expiration dates of most certificates - replacing signatures that used SHA1 with SHA256 or SHA512 - new subkey for Tim - remove Alexander's User Attribute image Concretely, the changes here are (via "sq toolbox packet dump"): --- before/signing-key.asc +++ after/signing-key.asc @@ -1,4 +1,4 @@ -Public-Key Packet, old CTB, 401 bytes +Public-Key Packet, new CTB, 401 bytes Version: 4 Creation time: 2008-05-04 16:35:00 UTC Pk algo: RSA @@ -6,14 +6,14 @@ Fingerprint: 1F42418905D8206AA754CCDC29EE58B996865171 KeyID: 29EE58B996865171 -User ID Packet, old CTB, 41 bytes - Value: Nikos Mavrogiannopoulos <nmav@gnutls.org> +User ID Packet, new CTB, 55 bytes + Value: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> -Signature Packet, old CTB, 451 bytes +Signature Packet, new CTB, 474 bytes Version: 4 Type: PositiveCertification Pk algo: RSA - Hash algo: SHA1 + Hash algo: SHA512 Hashed area: Key flags: CS Key expiration time: 19years 11months 25days 9h 50m 24s @@ -22,23 +22,23 @@ Compression preferences: Zlib, BZip2, Zip Features: SEIPDv1 Keyserver preferences: no modify - Signature creation time: 2008-09-15 18:57:11 UTC + Issuer Fingerprint: 1F42418905D8206AA754CCDC29EE58B996865171 + Signature creation time: 2021-02-13 15:06:51 UTC Primary User ID: true Unhashed area: Issuer: 29EE58B996865171 - Digest prefix: F922 + Digest prefix: EFEC Level: 0 (signature over data) -User ID Packet, old CTB, 55 bytes - Value: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> +User ID Packet, new CTB, 41 bytes + Value: Nikos Mavrogiannopoulos <nmav@gnutls.org> -Signature Packet, old CTB, 448 bytes +Signature Packet, new CTB, 471 bytes Version: 4 Type: PositiveCertification Pk algo: RSA - Hash algo: SHA1 + Hash algo: SHA512 Hashed area: - Signature creation time: 2008-05-04 16:39:49 UTC Key flags: CS Key expiration time: 19years 11months 25days 9h 50m 24s Symmetric algo preferences: AES256, AES192, AES128, CAST5, TripleDES @@ -46,34 +46,31 @@ Compression preferences: Zlib, BZip2, Zip Features: SEIPDv1 Keyserver preferences: no modify + Issuer Fingerprint: 1F42418905D8206AA754CCDC29EE58B996865171 + Signature creation time: 2021-02-13 15:06:51 UTC Unhashed area: Issuer: 29EE58B996865171 - Digest prefix: 0BE3 + Digest prefix: 790E Level: 0 (signature over data) -User ID Packet, old CTB, 43 bytes +User ID Packet, new CTB, 43 bytes Value: Nikos Mavrogiannopoulos <nmav@hushmail.com> -Signature Packet, old CTB, 450 bytes +Signature Packet, new CTB, 457 bytes Version: 4 - Type: PositiveCertification + Type: CertificationRevocation Pk algo: RSA - Hash algo: SHA1 + Hash algo: SHA512 Hashed area: - Signature creation time: 2013-02-25 21:14:06 UTC - Key flags: CS - Key expiration time: 19years 11months 25days 9h 50m 24s - Symmetric algo preferences: AES256, AES192, AES128, CAST5, TripleDES - Hash preferences: SHA256, SHA1, SHA384, SHA512, SHA224 - Compression preferences: Zlib, BZip2, Zip - Features: SEIPDv1 - Keyserver preferences: no modify + Issuer Fingerprint: 1F42418905D8206AA754CCDC29EE58B996865171 + Signature creation time: 2021-02-13 15:06:11 UTC + Reason for revocation: User ID information is no longer valid, No longer used. Unhashed area: Issuer: 29EE58B996865171 - Digest prefix: 8248 + Digest prefix: B7EB Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 269 bytes +Public-Subkey Packet, new CTB, 269 bytes Version: 4 Creation time: 2018-02-06 05:45:13 UTC Pk algo: RSA @@ -81,7 +78,7 @@ Fingerprint: 59FBB55CA7F3A8AB0C503773D81C4887F1679A65 KeyID: D81C4887F1679A65 -Signature Packet, old CTB, 758 bytes +Signature Packet, new CTB, 758 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA @@ -110,7 +107,7 @@ Digest prefix: D815 Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 269 bytes +Public-Subkey Packet, new CTB, 269 bytes Version: 4 Creation time: 2018-02-06 05:45:46 UTC Pk algo: RSA @@ -118,7 +115,7 @@ Fingerprint: 1F9ABA5E96A1227366ED49A19B4A51263E13AF91 KeyID: 9B4A51263E13AF91 -Signature Packet, old CTB, 448 bytes +Signature Packet, new CTB, 448 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA @@ -133,7 +130,7 @@ Digest prefix: 45E7 Level: 0 (signature over data) -Public-Key Packet, old CTB, 525 bytes +Public-Key Packet, new CTB, 525 bytes Version: 4 Creation time: 2009-07-23 04:59:26 UTC Pk algo: RSA @@ -141,10 +138,10 @@ Fingerprint: 462225C3B46F34879FC8496CD605848ED7E69871 KeyID: D605848ED7E69871 -User ID Packet, old CTB, 25 bytes +User ID Packet, new CTB, 25 bytes Value: Daiki Ueno <ueno@gnu.org> -Signature Packet, old CTB, 597 bytes +Signature Packet, new CTB, 597 bytes Version: 4 Type: PositiveCertification Pk algo: RSA @@ -164,14 +161,14 @@ Digest prefix: 0335 Level: 0 (signature over data) -User ID Packet, old CTB, 30 bytes +User ID Packet, new CTB, 30 bytes Value: Daiki Ueno <ueno@unixuser.org> -Signature Packet, old CTB, 596 bytes +Signature Packet, new CTB, 596 bytes Version: 4 Type: PositiveCertification Pk algo: RSA - Hash algo: SHA1 + Hash algo: SHA256 Hashed area: Key flags: CS Features: SEIPDv1 @@ -180,14 +177,14 @@ Hash preferences: SHA512, SHA384, SHA256, SHA224 Compression preferences: Zlib, BZip2, Zip, Uncompressed Issuer Fingerprint: 462225C3B46F34879FC8496CD605848ED7E69871 - Signature creation time: 2018-09-26 05:35:55 UTC - Key expiration time: 14years 2months 2days 15h 29m 17s + Signature creation time: 2023-06-30 08:24:20 UTC + Key expiration time: 16years 11months 6days 7h 15m 18s Unhashed area: Issuer: D605848ED7E69871 - Digest prefix: EEA6 + Digest prefix: 51AD Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 525 bytes +Public-Subkey Packet, new CTB, 525 bytes Version: 4 Creation time: 2010-02-04 22:52:44 UTC Pk algo: RSA @@ -195,20 +192,23 @@ Fingerprint: 2567E23B4A79AD4DC685099850AD4600C8C530D6 KeyID: 50AD4600C8C530D6 -Signature Packet, old CTB, 543 bytes +Signature Packet, new CTB, 638 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA - Hash algo: SHA1 + Hash algo: SHA256 Hashed area: - Signature creation time: 2010-02-04 22:52:44 UTC - Key flags: EtEr - Unhashed area: + Signature creation time: 2023-07-03 11:38:10 UTC (critical) Issuer: D605848ED7E69871 - Digest prefix: 30AC + Notation: salt@notations.sequoia-pgp.org + 00000000 99 81 91 ac 52 3b 91 ba cb e1 8c c1 3a bf 44 b2 + 00000010 64 24 c1 64 77 3d bd 0e 62 ee a5 79 38 f6 6d 2e + Key flags: EtEr + Issuer Fingerprint: 462225C3B46F34879FC8496CD605848ED7E69871 + Digest prefix: ECB2 Level: 0 (signature over data) -Public-Key Packet, old CTB, 525 bytes +Public-Key Packet, new CTB, 525 bytes Version: 4 Creation time: 2014-06-26 12:35:28 UTC Pk algo: RSA @@ -216,10 +216,10 @@ Fingerprint: 1CB27DBC98614B2D5841646D08302DB6A2670428 KeyID: 08302DB6A2670428 -User ID Packet, old CTB, 32 bytes +User ID Packet, new CTB, 32 bytes Value: Tim Rühsen <tim.ruehsen@gmx.de> -Signature Packet, old CTB, 596 bytes +Signature Packet, new CTB, 590 bytes Version: 4 Type: PositiveCertification Pk algo: RSA @@ -232,14 +232,35 @@ Features: SEIPDv1 Keyserver preferences: no modify Issuer Fingerprint: 1CB27DBC98614B2D5841646D08302DB6A2670428 - Signature creation time: 2019-02-27 18:53:27 UTC - Key expiration time: 6years 8months 2days 5h 49m 11s + Signature creation time: 2021-03-07 17:45:33 UTC + Unhashed area: + Issuer: 08302DB6A2670428 + Digest prefix: D674 + Level: 0 (signature over data) + +Public-Subkey Packet, new CTB, 525 bytes + Version: 4 + Creation time: 2014-06-26 12:35:28 UTC + Pk algo: RSA + Pk size: 4096 bits + Fingerprint: B9B146F2AD45FF7E2CAE90CC5883EEF90A4FC1CF + KeyID: 5883EEF90A4FC1CF + +Signature Packet, new CTB, 566 bytes + Version: 4 + Type: SubkeyBinding + Pk algo: RSA + Hash algo: SHA512 + Hashed area: + Key flags: EtEr + Issuer Fingerprint: 1CB27DBC98614B2D5841646D08302DB6A2670428 + Signature creation time: 2021-03-07 17:45:49 UTC Unhashed area: Issuer: 08302DB6A2670428 - Digest prefix: E83A + Digest prefix: 776A Level: 0 (signature over data) -Public-Key Packet, old CTB, 51 bytes +Public-Key Packet, new CTB, 51 bytes Version: 4 Creation time: 2021-12-23 11:16:51 UTC Pk algo: EdDSA @@ -247,31 +268,31 @@ Fingerprint: 5D46CB0F763405A7053556F47A75A648B3F9220C KeyID: 7A75A648B3F9220C -User ID Packet, old CTB, 37 bytes +User ID Packet, new CTB, 37 bytes Value: Zoltan Fridrich <zfridric@redhat.com> -Signature Packet, old CTB, 154 bytes +Signature Packet, new CTB, 154 bytes Version: 4 Type: PositiveCertification Pk algo: EdDSA Hash algo: SHA512 Hashed area: - Issuer Fingerprint: 5D46CB0F763405A7053556F47A75A648B3F9220C - Signature creation time: 2021-12-23 11:16:51 UTC Key flags: CS - Key expiration time: 1year 11months 29days 21h 50m 24s Symmetric algo preferences: AES256, AES192, AES128, TripleDES AEAD preferences: OCB, EAX Hash preferences: SHA512, SHA384, SHA256, SHA224, SHA1 Compression preferences: Zlib, BZip2, Zip Features: SEIPDv1, AEAD, #2 Keyserver preferences: no modify + Issuer Fingerprint: 5D46CB0F763405A7053556F47A75A648B3F9220C + Signature creation time: 2024-01-02 13:17:23 UTC + Key expiration time: 5years 8days 20h 32s Unhashed area: Issuer: 7A75A648B3F9220C - Digest prefix: 69D8 + Digest prefix: 1AB4 Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 56 bytes +Public-Subkey Packet, new CTB, 56 bytes Version: 4 Creation time: 2021-12-23 11:16:51 UTC Pk algo: ECDH @@ -279,22 +300,22 @@ Fingerprint: DF7B507669E926A2A1F09BBB46CFDAE328F33704 KeyID: 46CFDAE328F33704 -Signature Packet, old CTB, 126 bytes +Signature Packet, new CTB, 126 bytes Version: 4 Type: SubkeyBinding Pk algo: EdDSA Hash algo: SHA512 Hashed area: - Issuer Fingerprint: 5D46CB0F763405A7053556F47A75A648B3F9220C - Signature creation time: 2021-12-23 11:16:51 UTC Key flags: EtEr - Key expiration time: 1year 11months 29days 21h 50m 24s + Issuer Fingerprint: 5D46CB0F763405A7053556F47A75A648B3F9220C + Signature creation time: 2024-01-02 13:13:03 UTC + Key expiration time: 5years 8days 19h 56m 12s Unhashed area: Issuer: 7A75A648B3F9220C - Digest prefix: CFC4 + Digest prefix: 2B5D Level: 0 (signature over data) -Public-Key Packet, old CTB, 525 bytes +Public-Key Packet, new CTB, 525 bytes Version: 4 Creation time: 2016-09-27 09:06:31 UTC Pk algo: RSA @@ -302,10 +323,10 @@ Fingerprint: E987AB7F7E89667776D05B3BB0E9DD20B29F1432 KeyID: B0E9DD20B29F1432 -User ID Packet, old CTB, 39 bytes +User ID Packet, new CTB, 39 bytes Value: Alexander Sosedkin <monk@unboiled.info> -Signature Packet, old CTB, 567 bytes +Signature Packet, new CTB, 590 bytes Version: 4 Type: PositiveCertification Pk algo: RSA @@ -320,31 +341,33 @@ Compression preferences: Zlib, BZip2, Zip, Uncompressed Unhashed area: Issuer: B0E9DD20B29F1432 + Issuer Fingerprint: E987AB7F7E89667776D05B3BB0E9DD20B29F1432 Digest prefix: 7E50 Level: 0 (signature over data) -User Attribute Packet, new CTB, 1003 bytes - JPEG: 984 bytes +Public-Subkey Packet, new CTB, 525 bytes + Version: 4 + Creation time: 2021-08-21 03:09:23 UTC + Pk algo: RSA + Pk size: 4096 bits + Fingerprint: 56FAF07285D50A13A260DBC030FAA8E177B849C4 + KeyID: 30FAA8E177B849C4 -Signature Packet, old CTB, 567 bytes +Signature Packet, new CTB, 566 bytes Version: 4 - Type: PositiveCertification + Type: SubkeyBinding Pk algo: RSA Hash algo: SHA256 Hashed area: - Key flags: CS - Features: SEIPDv1 - Keyserver preferences: no modify - Signature creation time: 2016-09-27 09:10:12 UTC - Symmetric algo preferences: AES256, AES192, AES128, CAST5 - Hash preferences: SHA512, SHA384, SHA256, SHA224 - Compression preferences: Zlib, BZip2, Zip, Uncompressed + Issuer Fingerprint: E987AB7F7E89667776D05B3BB0E9DD20B29F1432 + Signature creation time: 2021-08-21 03:09:23 UTC + Key flags: A Unhashed area: Issuer: B0E9DD20B29F1432 - Digest prefix: 2945 + Digest prefix: 829B Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 525 bytes +Public-Subkey Packet, new CTB, 525 bytes Version: 4 Creation time: 2016-09-27 09:10:17 UTC Pk algo: RSA @@ -352,7 +375,7 @@ Fingerprint: A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB KeyID: 412748A40AFCC2FB -Signature Packet, old CTB, 1086 bytes +Signature Packet, new CTB, 1109 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA @@ -375,10 +398,11 @@ Digest prefix: 07FE Level: 0 (signature over data) + Issuer Fingerprint: E987AB7F7E89667776D05B3BB0E9DD20B29F1432 Digest prefix: 99E4 Level: 0 (signature over data) -Public-Subkey Packet, old CTB, 525 bytes +Public-Subkey Packet, new CTB, 525 bytes Version: 4 Creation time: 2016-09-27 09:06:31 UTC Pk algo: RSA @@ -386,7 +410,7 @@ Fingerprint: D7662EFEBD18ED4A3E32340E0F54271812103B95 KeyID: 0F54271812103B95 -Signature Packet, old CTB, 543 bytes +Signature Packet, new CTB, 566 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA @@ -396,28 +420,7 @@ Key flags: EtEr Unhashed area: Issuer: B0E9DD20B29F1432 - Digest prefix: D1E5 - Level: 0 (signature over data) - -Public-Subkey Packet, old CTB, 525 bytes - Version: 4 - Creation time: 2021-08-21 03:09:23 UTC - Pk algo: RSA - Pk size: 4096 bits - Fingerprint: 56FAF07285D50A13A260DBC030FAA8E177B849C4 - KeyID: 30FAA8E177B849C4 - -Signature Packet, old CTB, 566 bytes - Version: 4 - Type: SubkeyBinding - Pk algo: RSA - Hash algo: SHA256 - Hashed area: Issuer Fingerprint: E987AB7F7E89667776D05B3BB0E9DD20B29F1432 - Signature creation time: 2021-08-21 03:09:23 UTC - Key flags: A - Unhashed area: - Issuer: B0E9DD20B29F1432 - Digest prefix: 829B + Digest prefix: D1E5 Level: 0 (signature over data)
There are 2 open security issues in bullseye.
You can find information about how to handle these issues in the security team's documentation.
Among the 2 debian patches available in version 3.8.6-2 of the package, we noticed the following issues: