doc: Recommend against SHA1 OpenPGP signatures.

* doc/contributing.texi (Commit Access): Recommend against SHA1 signatures.
author: Ludovic Courtès <ludo@gnu.org> 2020-05-02 23:53:25 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2020-05-04 09:56:14 +0200
commit: 4a84deda7489f668cd833b59daeb504cbd87fa2b (patch)
tree: 6275a139b22ec7070b16f40c96051bb0ec0a28c4
parent: 84133320b8fb70f093831203a028ed2ffb6082ce (diff)
download: patches-4a84deda7489f668cd833b59daeb504cbd87fa2b.tar
patches-4a84deda7489f668cd833b59daeb504cbd87fa2b.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 0ec7a48b96..9583120742 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1187,6 +1187,16 @@ the OpenPGP key you will use to sign commits, and giving its fingerprint
 (see below).  See @uref{https://emailselfdefense.fsf.org/en/}, for an
 introduction to public-key cryptography with GnuPG.
 
+@c See <https://sha-mbles.github.io/>.
+Set up GnuPG such that it never uses the SHA1 hash algorithm for digital
+signatures, which is known to be unsafe since 2019, for instance by
+adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG
+Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}):
+
+@example
+digest-algo sha512
+@end example
+
 @item
 Maintainers ultimately decide whether to grant you commit access,
 usually following your referrals' recommendation.
author	Ludovic Courtès <ludo@gnu.org>	2020-05-02 23:53:25 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2020-05-04 09:56:14 +0200
commit	4a84deda7489f668cd833b59daeb504cbd87fa2b (patch)
tree	6275a139b22ec7070b16f40c96051bb0ec0a28c4
parent	84133320b8fb70f093831203a028ed2ffb6082ce (diff)
download	patches-4a84deda7489f668cd833b59daeb504cbd87fa2b.tar patches-4a84deda7489f668cd833b59daeb504cbd87fa2b.tar.gz