Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Thu Feb 19 20:29:43 CET 2015

Am 19.02.2015 um 20:08 schrieb Werner Koch <wk at>:

> Because I have to enter the PIN everytime (right, I do this on purpose),
> the RSA signatures a long, and I do not keep my signing key card
> inserted all the time.  In fact I have to walk out of the office to pick
> it up.

Another approach is to not sign them when working on it and only signing them before pushing using git rebase. I do agree that it's sometimes annoying to always plug it in and out again.

> ps. Here is the key I started to use for commits.
> pub   ed25519/E3FDFF218E45B72B 2015-02-18 [expires: 2025-02-15]
>      Key fingerprint = C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
> uid               [ unknown] Werner Koch (wheatstone commit signing)

+1 for choosing Ed25519! (I did the same because I didn't want commits to be huge).

As most keyservers still don't support Ed25519 keys, I guess it's worth pointing out that you can get the key with --keyserver

Btw, does this mean that basically Ed25519 keys are stable enough now and won't change anymore?


More information about the Gnupg-users mailing list