On 11/4/20 3:53 PM, Geert Hendrickx via pacman-dev wrote:
Larger RSA keys are not the way forward, switch to ed25519 instead.
Currently pacman assumes gpgme from >= the year 2010, is that sufficient to read ed25519? (idk, it's shelling out to gpg and thus likely doesn't care?) Maybe we should bump this anyway in the expectation that requiring a ~2015 version of gpgme will naturally lead to gpg versions that support generating such keys.
This will also become the default in the next version of GnuPG.
I see such a commit on GnuPG's master branch but not on the stable branch. When do you expect this to be released...
Signed-off-by: Geert Hendrickx <geert@hendrickx.be> --- scripts/pacman-key.sh.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index ccfd1b96..fd9d3793 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -147,8 +147,8 @@ generate_master_key() { # Generate the master key, which will be in both pubring and secring "${GPG_PACMAN[@]}" --gen-key --batch <<EOF %echo Generating pacman keyring master key... -Key-Type: RSA -Key-Length: 4096 +Key-Type: EDDSA +Key-Curve: ed25519 Key-Usage: sign Name-Real: Pacman Keyring Master Key Name-Email: pacman@localhost
-- Eli Schwartz Bug Wrangler and Trusted User