Charles Plessy
2016-Sep-04 01:03 UTC
[R-sig-Debian] Please update GPG signature to long format.
Hi Michael and Dirk, there are raising concerns that, as of today's computing power, an attacker can generate a GPG key that has the same short ID as a target key. In this situation, it may be possible that a user downloads and trusts the attacker's GPG key, and as a consequence installs malware. For that reason (better explained in http://lwn.net/Articles/697417/), it is recommended to use long IDs or even full fingerprints. I am therefore suggesting to update the instructions at <https://cran.rstudio.com/bin/linux/ubuntu/>. s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ (Note that I tested only in Debian Stable, which is one year older as Trusty, so it might be good to doublecheck on a Trusty system that it works as expected.) Have a nice day, Charles -- Charles Plessy Tsurumi, Kanagawa, Japan
Johannes Ranke
2016-Sep-04 17:18 UTC
[R-sig-Debian] Please update GPG signature to long format.
Hello Charles, thanks for the hint - I changed the instructions for the Debian section to use the key fingerprint. The change should propagate to CRAN https://cran.r-project.org/bin/linux/debian and its mirrors soon. Best regards, Johannes Am Sonntag, 4. September 2016, 10:03:16 schrieb Charles Plessy:> Hi Michael and Dirk, > > there are raising concerns that, as of today's computing power, an attacker > can generate a GPG key that has the same short ID as a target key. In this > situation, it may be possible that a user downloads and trusts the > attacker's GPG key, and as a consequence installs malware. > > For that reason (better explained in http://lwn.net/Articles/697417/), it is > recommended to use long IDs or even full fingerprints. I am therefore > suggesting to update the instructions at > <https://cran.rstudio.com/bin/linux/ubuntu/>. > > s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ > > (Note that I tested only in Debian Stable, which is one year older as > Trusty, so it might be good to doublecheck on a Trusty system that it works > as expected.) > > Have a nice day, > > Charles