New SHA-1 Attack Implications 2020

This one is pretty ugly and confuses GPG 1.4 when verifying keys using the web of trust. Debian has moved to gpg2 by default for a while now so I don;t think this applies.

Git however still hasn’t deprecated SHA1 and is a security problem for projects that don’t sign tags.


Cryptographically strong code signing · Issue #2240 · QubesOS/qubes-issues · GitHub