[pacman-dev] [PATCH] pacman-key: change signing key to ed25519

Geert Hendrickx geert at hendrickx.be
Wed Nov 4 22:47:36 UTC 2020

On Wed, Nov 04, 2020 at 16:30:19 -0500, Eli Schwartz wrote:
> Currently pacman assumes gpgme from >= the year 2010, is that sufficient
> to read ed25519? (idk, it's shelling out to gpg and thus likely doesn't
> care?) Maybe we should bump this anyway in the expectation that requiring
> a ~2015 version of gpgme will naturally lead to gpg versions that support
> generating such keys.

This change only affects new installations, existing ones will continue
using their rsa2048 (or recently rsa4096) master keys, until they re-run
pacman-key --init.

> > This will also become the default in the next version of GnuPG.
> I see such a commit on GnuPG's master branch but not on the stable
> branch. When do you expect this to be released...

Good question, I don't know.  The point is that the trend is clearly
towards EdDSA rather than larger RSA.  And GnuPG (as well as openssh
etc) need to be conservative, as they must be interoperable with other
or older implementations, pacman doesn't even have that limitation.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20201104/c236924f/attachment.sig>

More information about the pacman-dev mailing list