doc: Recommend against SHA1 OpenPGP signatures.

* doc/contributing.texi (Commit Access): Recommend against SHA1
signatures.
This commit is contained in:
Ludovic Courtès 2020-05-02 23:53:25 +02:00
parent 84133320b8
commit 4a84deda74
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5

View file

@ -1187,6 +1187,16 @@ the OpenPGP key you will use to sign commits, and giving its fingerprint
(see below). See @uref{https://emailselfdefense.fsf.org/en/}, for an (see below). See @uref{https://emailselfdefense.fsf.org/en/}, for an
introduction to public-key cryptography with GnuPG. introduction to public-key cryptography with GnuPG.
@c See <https://sha-mbles.github.io/>.
Set up GnuPG such that it never uses the SHA1 hash algorithm for digital
signatures, which is known to be unsafe since 2019, for instance by
adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG
Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}):
@example
digest-algo sha512
@end example
@item @item
Maintainers ultimately decide whether to grant you commit access, Maintainers ultimately decide whether to grant you commit access,
usually following your referrals' recommendation. usually following your referrals' recommendation.