Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Wed Feb 18 11:52:52 CET 2015

Am 17.02.2015 um 14:22 schrieb Werner Koch <wk at>:

> I do not think that it matters whether you pull using the git or the ssh
> protocol.  In both cases an active attacker can intercept the traffic
> easily.  Virtually nobody checks ssh host keys and how should they do it
> given that I can't find its fingerprint easily on github.  Thus you would only
> see the "host key changed" warning in case this is not the first time
> you connected to this github project (I assume they use different host
> keys per project). 

I do verify the fingerprint, and they are quite easy to find actually:

First Google match for "GitHub SSH fingerprint".

> After all it is not different from downloading tarballs - only 10 to 20%
> of all downloads also download the signature file and for most projects
> there is no signature file.

Well, I guess you have to take into account that a lot of downloads are from packaging software like pkgsrc, FreeBSD ports, Gentoo portage, ArchLinux's makepkg, etc. Usually, these do download the signature and tarball once, verify it and then write a checksum to the Makefile / PKGBUILD / however it is called that is then verified. So I guess you can't easily map that to "Only x% of users check the downloaded tarball". I guess it's a lot more, it's just not all check it using the .sig.

> For we assume that users of the repos closely watch out for
> conflicts and verify the latest release tag.  If there is a problem that
> should be reported to a mailing-list (after verification that it is
> really a conflict).
> git meanwhile allows to sign commits.  If anyone knows a method to set a
> different key for tagging and commits, I would soon start to sign each
> commit.  I use a smartcard based key for tagging but won't use that for
> regular commits.

git commit -S <keyID>

You can just create an alias for that, I for example use git ci.


More information about the Gnupg-users mailing list