GPG still supports SHA1, which got another attack today (, 45k$ in AWS costs), yet the dev team doesn't seem to be able to get their butts into gear and deprecate old things.

I recommend switching to alternative tools; signify/minisign for signatures, age ( for encryption, and just don't use email or signed git commits, just sign a tarball or tags.

Sign in to participate in the conversation
Manechat on Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!