Hello,
in 2015 I signed with my key E2DCDD9132669BD6 all five UIDs of the key 2B5EE211C58AEA54 using SHA-1:
uwe@taurus:~$ gpg --list-sigs --with-colon 2B5EE211C58AEA54 | grep E2DCDD9132669BD6 sig:::1:E2DCDD9132669BD6:1433413327::::Uwe Kleine-König <uwe@kleine-koenig.org>:10x:::::2: sig:::1:E2DCDD9132669BD6:1433413327::::Uwe Kleine-König <uwe@kleine-koenig.org>:10x:::::2: sig:::1:E2DCDD9132669BD6:1433413327::::Uwe Kleine-König <uwe@kleine-koenig.org>:10x:::::2: sig:::1:E2DCDD9132669BD6:1433413327::::Uwe Kleine-König <uwe@kleine-koenig.org>:10x:::::2: sig:::1:E2DCDD9132669BD6:1433413327::::Uwe Kleine-König <uwe@kleine-koenig.org>:10x:::::2:
As SHA-1 based signatures are not trusted any more I get a warning when the key is used, e.g.:
uwe@taurus:~/gsrc/linux$ git tag --verify linux-can-next-for-6.15-20250314
object 6bffe88452dbe284747442f10a7ac8249d6495d7
type commit
tag linux-can-next-for-6.15-20250314
tagger Marc Kleine-Budde <mkl@pengutronix.de> 1741958321 +0100
linux-can-next-for-6.15-20250314
gpg: Signature made Fri 14 Mar 2025 02:18:41 PM CET
gpg: using RSA key 9FFB0CD8AF67A85FFC156CF30C7465DFF990919C
gpg: issuer "mkl@pengutronix.de"
gpg: Good signature from "Marc Kleine-Budde <mkl@blackshift.org>" [unknown]
gpg: aka "Marc Kleine-Budde <mkl@pengutronix.de>" [unknown]
gpg: aka "Marc Kleine-Budde <kleine-budde@pengutronix.de>" [unknown]
gpg: aka "Marc Kleine-Budde <m.kleine-budde@pengutronix.de>" [unknown]
gpg: aka "Marc Kleine-Budde <marc.kleine-budde@pengutronix.de>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C140 0BA0 B398 9E6F BC7D 5B5C 2B5E E211 C58A EA54
Subkey fingerprint: 9FFB 0CD8 AF67 A85F FC15 6CF3 0C74 65DF F990 919CThe obvious route forward (assuming I still trust Marc's key) is to re-sign his UIDs with more modern settings, but gpg makes that unnecessarily complicated:
uwe@taurus:~/gsrc/linux$ gpg --quick-sign-key C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 "Marc Kleine-Budde <kleine-budde@pengutronix.de>" "Marc Kleine-Budde <m.kleine-budde@pengutronix.de>" "Marc Kleine-Budde <marc.kleine-budde@pengutronix.de>" "Marc Kleine-Budde <mkl@blackshift.org>" "Marc Kleine-Budde <mkl@pengutronix.de>"; "Marc Kleine-Budde <mkl@blackshift.org>" was already signed by key E2DCDD9132669BD6 "Marc Kleine-Budde <mkl@pengutronix.de>" was already signed by key E2DCDD9132669BD6 "Marc Kleine-Budde <kleine-budde@pengutronix.de>" was already signed by key E2DCDD9132669BD6 "Marc Kleine-Budde <m.kleine-budde@pengutronix.de>" was already signed by key E2DCDD9132669BD6 "Marc Kleine-Budde <marc.kleine-budde@pengutronix.de>" was already signed by key E2DCDD9132669BD6 Nothing to sign with key E2DCDD9132669BD6 gpg: Key not changed so no update needed.
I can use gpg --force-sign-key --quick-sign-key to override gpg thinking an update was not needed, but this is an inconsistent behaviour. If these signatures aren't trusted any more (which is the right choice today), they shouldn't prevent the UIDs to be re-signed.
I plan to recommend others who gave SHA-1 signatures in the past to redo these signatures, but I don't want to recommend the --force-sign-key switch. For one this will result in justified questioning of my suggested procedure because the most obvious explanation for the need of this switch is that my suggestion is bad. Also a command with --force-sign-key will happily resign a UID that was already fixed before which is unfortunate if I give out lists of suggested commands to affected key owners based on the keys in my keyring (which might lack signatures contained in other keyrings).