06/06: doc: Recommend against SHA1 OpenPGP signatures.

[guix-commits]

civodul pushed a commit to branch wip-openpgp
in repository guix.

commit c35ba4a5cd40c18b72f4e7b31e6f1a54d7cbe6fa
Author: Ludovic Courtès <address@hidden>
AuthorDate: Sat May 2 23:53:25 2020 +0200

    doc: Recommend against SHA1 OpenPGP signatures.
    
    * doc/contributing.texi (Commit Access): Recommend against SHA1
    signatures.
---
 doc/contributing.texi | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/contributing.texi b/doc/contributing.texi
index 0ec7a48..9583120 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1187,6 +1187,16 @@ the OpenPGP key you will use to sign commits, and giving 
its fingerprint
 (see below).  See @uref{https://emailselfdefense.fsf.org/en/}, for an
 introduction to public-key cryptography with GnuPG.
 
+@c See <https://sha-mbles.github.io/>.
+Set up GnuPG such that it never uses the SHA1 hash algorithm for digital
+signatures, which is known to be unsafe since 2019, for instance by
+adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG
+Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}):
+
+@example
+digest-algo sha512
+@end example
+
 @item
 Maintainers ultimately decide whether to grant you commit access,
 usually following your referrals' recommendation.