0002028: Use full fingerprint instead of short key-id for verifying downloads

ID	Project	Category	View Status	Date Submitted	Last Update

0002028	Kali Linux	General Bug	public	2015-01-18 10:47	2015-01-18 19:52

Reporter	kwadronaut	Assigned To	muts
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed

Summary	0002028: Use full fingerprint instead of short key-id for verifying downloads
Description	On the download page (https://www.kali.org/downloads/) the instructions for verifying the download use the short-keyid '7D8D0BF6.' This is considered bad practice, given how easy it is to produce collisions and until recently gnupg didn't fetch long keyids properly. I suggest to add the full fingerprint on the instructions.
Additional Information	https://bugs.g10code.com/gnupg/issue1340 https://www.debian-administration.org/users/dkg/weblog/105 https://qubes-os.org/wiki/VerifyingSignatures https://help.riseup.net/en/security/message-security/openpgp/best-practices#selecting-a-keyserver-and-configuring-your-machine-to-refresh-your-keyring http://www.openwall.com/lists/oss-security/2014/10/10/11 http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

Date Modified	Username	Field	Change
2015-01-18 10:47	kwadronaut	New Issue
2015-01-18 19:52	muts	Note Added: 0002974
2015-01-18 19:52	muts	Status	new => closed
2015-01-18 19:52	muts	Assigned To	=> muts
2015-01-18 19:52	muts	Resolution	open => fixed

muts 2015-01-18 19:52 reporter ~0002974	Thanks, download page updated to display long key ids.