Please remove MacGPG from due to serious security concerns

Werner Koch wk at
Wed Feb 18 15:57:12 CET 2015

On Wed, 18 Feb 2015 11:52, js-gnupg-users at said:

> I do verify the fingerprint, and they are quite easy to find actually:
> First Google match for "GitHub SSH fingerprint".

Using a search engine to find important information is not very user
friendly.  The host keys should be linked from the root page.  But in
this regard this is not different than any root CA - most make it really
hard to find the fingerprint and the support lines sometimes don't even
known why one what to check this.

> Makefile / PKGBUILD / however it is called that is then verified. So I
> guess you can't easily map that to "Only x% of users check the
> downloaded tarball". I guess it's a lot more, it's just not all check
> it using the .sig.

Sure I can.  If there are 1000 downloads of the tarball and only 100 of
the corresponding sig it should be pretty clear that 90% of those who
download not even pretend to check the signature.

> git commit -S <keyID>
> You can just create an alias for that, I for example use git ci.

I know that but I would like to have a different key for tag and commit.
Requiring an option is just too cumbersome.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list