[Pkg-cairo-dock-devel] Bug#836561: cairo-dock: gpg key in scripts too short
D Haley
mycae at gmx.com
Sat Sep 3 23:22:14 UTC 2016
Source: cairo-dock
Version: 3.4.0-2
Severity: important
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
data/scripts/help_scripts.sh [2]
Please consider upgrading to a full key ID, for example, replace the command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
with
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2] git://anonscm.debian.org/pkg-cairo-dock/cairo-dock.git
commit 49a9279cb91e91e5064136821b377eb84277d613
More information about the Pkg-cairo-dock-devel
mailing list