river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <robertburrelldon...@gmail.com>
Subject Re: Apache release signing on Solaris 10
Date Mon, 04 Jan 2010 08:45:47 GMT
On Mon, Jan 4, 2010 at 12:32 AM, Craig L Russell <Craig.Russell@sun.com> wrote:
> Hi Peter,
>
> The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
> somehow are incompatible with other GPG programs out there.

unfortunately, some older programs are no longer secure after the
SHA-1 breakage. you need to check that SHA is set to 512 (or 256) for
signing and that both encrypt and sign keys are 4096 bit RSA (the
older versions did not use RSA for both keys).

- robert

Mime
View raw message