Bug report #11772
GPG: stop using 32-bit key ID
|Affected QGIS version:||2.6.0||Regression?:||No|
|Operating System:||Easy fix?:||No|
|Pull Request or Patch supplied:||No||Resolution:||fixed/implemented|
|Crashes QGIS or corrupts data:||No||Copied to github as #:||20001|
I'd like to add QGIS Archive Automatic Signing Key (2014) to my keystore. Unfortunately there is no way to tell if key received from keyserver is correct because you use only 32-bit key ID (eg. http://www.qgis.org/en/site/forusers/alldownloads.html#debian).
Since you can generate collision in few seconds (see: https://evil32.com/) it would be much better if you use full key fingerprint or at least provide it somewhere so user can verify it manually.