After the #OpenPGP keysigning party at @embeddedrecipes with 20 registered (and several ad-hoc) participants the first signatures landed on the keyservers. The strong set size (only considering the 20 registered certificates) increased from 6 to 12.

@geert @monsieuricon If you click on Kevin in the first graph, the part that survives is there.

@geert @monsieuricon With “second path” you mean the svg without SHA-1? If so, there are too many paths and wotmate only shows the first four shortest disjunct paths. That path is actually there also when SHA-1 signatures are considered, just not relevant enough to display it.

I implemented changes for the tool that is used to manage the kernel’s #OpenPGP keyring repo. If @monsieuricon merges it, that makes my trust path degenerate from current trust paths to trust path without SHA-1. For others it’s worse …

Earlier today I released libpwm 1.0-rc1. If you’re working on a PWM Linux driver or you want to control a PWM from userspace, that’s what you should look into.

The @embeddedrecipes keysigning will be done using the Zimmermann–Sassaman key-signing protocol and the deadline for handing in your certificates to make it on the list is over. If you still want to attend, please bring paper slips with your fingerprint (and of course your passport and a pen). No need to register for that.

If you’re attending @embeddedrecipes this year in Nice (May 14-16), register for the PGP keysigning session with @a3f by sending your public key to er2025-keysigning@baylibre.com.

The PGP Web of Trust in the kernel and SHA-1

PGP is used to sign and (hopefully) also verify pull requests. For a big and relevant part of our community the certifications and cross signatures that are the computational base for the trust in the transferred code changes are already long established.

The problem here is that security is a moving target and the algorithms used back then are not considered secure any more. For example GnuPG (and also other OpenPGP implementations) don’t consider SHA-1 secure any more. See my blog for some effects of that on the kernel Web of Trust.