Bug 6223 - distro signing key is unsafe
Summary: distro signing key is unsafe
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Building & Packaging (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: Other All
: P2 normal
Target Milestone: 3.3.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-21 14:11 UTC by Justin Mason
Modified: 2009-12-02 15:36 UTC (History)
4 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Mason 2009-10-21 14:11:07 UTC
http://www.apache.org/dev/release-signing.html notes:

'Committers with a DSA key or an RSA key of length less than 2048 bits should generate a new key for signing releases. The original key does not need to be revoked yet.'

our sa-update signing key is 4096-bit RSA, but 
http://www.apache.org/dist/spamassassin/KEYS uses a 1024-bit DSA key :(

http://www.apache.org/dev/key-transition.html details what we need to do.
Comment 1 Justin Mason 2009-10-21 14:11:57 UTC
it would be nice to do this for 3.3.0 (but not required... yet)
Comment 2 Mark Thomas 2009-11-30 13:32:51 UTC
Restoring change originally made by Mark Martinec
Comment 3 Warren Togami 2009-12-02 11:16:21 UTC
As discussed on dev@ list, it is time to generate a new key using these apache.org recommendations.  We need someone who knows the old key passphrase to generate the new key, then sign it with the old key.  We need the key in order to do the beta and final release of 3.3.0. 

We also need to discuss expanding the group of signers to active members of the project.
Comment 4 Justin Mason 2009-12-02 14:00:24 UTC
done!
http://people.apache.org/~jm/KEYS.bug6223 is the new key (and the old one, to allow verification of old releases, until we eventually kill it off).

http://www.apache.org/dist/spamassassin/KEYS has been updated, and will update as the mirrors update.

The key uses the same passphrase as the old one did.  Now to tell more people what that is ;)
Comment 5 Mark Martinec 2009-12-02 15:36:46 UTC
> http://people.apache.org/... is the new key

I think a private key should be a closely guarded secret (not freely
accessible), much more so than its password. A password (say 40 characters
times 6 bits = 240 bits) is a much weaker target than 4096 bits of a
private key.