[pacman-dev] [PATCH] pacman-key: change signing key to ed25519

[Eli Schwartz]

On 11/4/20 3:53 PM, Geert Hendrickx via pacman-dev wrote:
> Larger RSA keys are not the way forward, switch to ed25519 instead.

Currently pacman assumes gpgme from >= the year 2010, is that sufficient
to read ed25519? (idk, it's shelling out to gpg and thus likely doesn't
care?) Maybe we should bump this anyway in the expectation that
requiring a ~2015 version of gpgme will naturally lead to gpg versions
that support generating such keys.

> This will also become the default in the next version of GnuPG.

I see such a commit on GnuPG's master branch but not on the stable
branch. When do you expect this to be released...

> Signed-off-by: Geert Hendrickx <geert at hendrickx.be>
> ---
>  scripts/pacman-key.sh.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index ccfd1b96..fd9d3793 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -147,8 +147,8 @@ generate_master_key() {
>  	# Generate the master key, which will be in both pubring and secring
>  	"${GPG_PACMAN[@]}" --gen-key --batch <<EOF
>  %echo Generating pacman keyring master key...
> -Key-Type: RSA
> -Key-Length: 4096
> +Key-Type: EDDSA
> +Key-Curve: ed25519
>  Key-Usage: sign
>  Name-Real: Pacman Keyring Master Key
>  Name-Email: pacman at localhost
> 


-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20201104/c02bc0c9/attachment.sig>