diff options
author | Ludovic Courtès <ludo@gnu.org> | 2020-05-02 23:53:25 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-05-04 09:56:14 +0200 |
commit | 4a84deda7489f668cd833b59daeb504cbd87fa2b (patch) | |
tree | 6275a139b22ec7070b16f40c96051bb0ec0a28c4 | |
parent | 84133320b8fb70f093831203a028ed2ffb6082ce (diff) | |
download | guix-4a84deda7489f668cd833b59daeb504cbd87fa2b.tar.gz guix-4a84deda7489f668cd833b59daeb504cbd87fa2b.zip |
doc: Recommend against SHA1 OpenPGP signatures.
* doc/contributing.texi (Commit Access): Recommend against SHA1
signatures.
-rw-r--r-- | doc/contributing.texi | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi index 0ec7a48b96..9583120742 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -1187,6 +1187,16 @@ the OpenPGP key you will use to sign commits, and giving its fingerprint (see below). See @uref{https://emailselfdefense.fsf.org/en/}, for an introduction to public-key cryptography with GnuPG. +@c See <https://sha-mbles.github.io/>. +Set up GnuPG such that it never uses the SHA1 hash algorithm for digital +signatures, which is known to be unsafe since 2019, for instance by +adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG +Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}): + +@example +digest-algo sha512 +@end example + @item Maintainers ultimately decide whether to grant you commit access, usually following your referrals' recommendation. |