Release tarball GPG signature verification uses weak hash and lacks keychain documentation
I’m the new volunteer maintainer for the cairomm package in Fedora. Per Fedora guidelines and general best practices, I would like to start verifying the release tarballs using the GPG signatures published in https://www.cairographics.org/releases/. I have a couple of problems:
- For the signatures to be useful, there needs to be a keychain published with the signing keys; or, there could be documentation regarding a keyserver that knows about the signing keys so I can build my own keychain. If either exists, I have not been able to find it. The latest release 1.16.0 is signed with RSA key 6CB445A816504714AA4962579EBA155FCC12D2C0.
- The signature verifies the .sha1 checksum file, but SHA1 has been somewhat broken (collision found) since 2017, and severely broken for signatures (chosen prefix attack, https://sha-mbles.github.io/) since 2020. A cryptographically strong signature would verify a file containing a strong checksum like SHA256, or would verify the release tarball directly (the more common practice).