Please remove MacGPG from due to serious security concerns

Werner Koch wk at
Thu Feb 19 20:08:17 CET 2015

On Thu, 19 Feb 2015 18:15, js-gnupg-users at said:

> I don't really see how that is cumbersome if you have an alias for tag
> and for commit that each specify the key you want?

Because it is too easy to forget about it.  And I would need to teag
Magit.  I started to use a new key for commits.  Let's hope that I don't
forget to tag the releases with the other key.

> As an aside, what's the reason for not signing the commits with the
> key on the card? I sign all my commits with the key stored on my

Because I have to enter the PIN everytime (right, I do this on purpose),
the RSA signatures a long, and I do not keep my signing key card
inserted all the time.  In fact I have to walk out of the office to pick
it up.

Using a on-disk for commits is okay because it only serves the purpose
to assert that the commit was done on one of my machines.  If that
machine has been compromised all kind of things can be manipulated and
thus it does the extra protection a smartcard gives is not useful.



ps. Here is the key I started to use for commits.

pub   ed25519/E3FDFF218E45B72B 2015-02-18 [expires: 2025-02-15]
      Key fingerprint = C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
uid               [ unknown] Werner Koch (wheatstone commit signing)

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: </pipermail/attachments/20150219/03772936/attachment.sig>

More information about the Gnupg-users mailing list