From 80e51258d5ef8c2b8c5469a8ea487f9b8c750f51 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Sun, 28 Dec 2025 14:41:38 -0500 Subject: [PATCH 1/2] Add information about age post-quantum key support. Add age post-quantum recipient key. --- SECURITY.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index bc77781..1e5131b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,12 +10,26 @@ AzureSignTool and AzureSign.Core currently only support the latest version. Use Security issues or vulnerabilities should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in this repository. Additional information is available on the [GitHub Documentation](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). + ### E-mail If using GitHub reports is not preferred or you do not have a GitHub account, email at kevin@vcsjones.dev is acceptable. If necessary, email content can be encrypted using [age](https://filippo.io/age) using the following recipient key: +```plain +age1pq1n36gramujxmmdymmjv9rsfzs7fq3qfwjts5jvy0svj2993fjh5fs76qprc57krng8yk8hefwgfmp6exc3ddv00pj2xgtrem7zsf9g70hg32ykndkwy55jzmtc9v2lc5crw2n9245r38yncpp62fplymgnmc4v7mg54snz2p8h9ef3rag3hv8dq6wzfpeamp9q5558rt6ynwrvgcuckgvddn9n8ffxk45tw2dq0ttepjsupfqyx6pvtw52ne2es99lp8mnz346us5mnqfz38yc8t9z5sxkdvl2spelvts0r2qypuf8yxcd6dv8ujk7kq9vktf3yss7sq8y9gfzpv2exz3n522grpqhpfljwxyd9yyq0p9qtyrrg8mngucq3zycxeueutpz68l9rru5ppcew52j5gn453c0ppr5gyxz2tkx66xf4ympg5nrgqnnzalq2qnrymz06wv0tz392j0z0x3ue8ew25rcufu5jjnnyelkehwgc662yzskltj35ur47f6vusav4m0lf3l9e9hwqm249vds42avjrhzx99f6jf4ehe9qhlqmnz75z7a4j5u0wta98jk32gz8czyulumuz2fzjt9u6c296hg4t5j5unl258jlyqcgk3kxuzhvprzw5mepcgdyu99yjrgg0v90tdqe6cng6pqmxvt2qecklutdaqwa9cgmzpgzwv3qapv4um9dx46egvufv4g9xp82lp3pwvf9ntgum2223mfw5x0u24tx5qsxtlgp30ly2uncdudkm8hfsl28q649rdt4rn48evvzdpxkpwfrrkvf3mz32ctecp2g5xxllwe26jmq94dftur59pzz45j2y7v02m6a3vl89nxfnvxtc9p2wnxguv6wag6zrl7yy8pquvf0dq27ef3sanpe4k84fv8acxsmyh0gmtxqx3spme27at4fw95svxzzehqat6ygqqkc5jh5ret68pyxs7k77rgsawm7gmxj7mqq03y8mp6e3p5saaahcjcefg84vncehh7pe6zlpf4m6tee7nppmcj6ezq6aaqk4kumcfg3atzcchyuh2g3uqpf5dg6v3ag2zhlezv0vpcyxd4u4mg9n85gxucumm8ggtnww9kjdpcwj2zxtvrr4j5c2a0wwnypm234tz4ul5kxgdsvel9qrgszy3dvzfzw86kc0fye6w7sjgqc666hn6uanqj4p94zrkrjmpe4y225rgzgc98a2uefd2g7pyt8rtme9p5prspu54y82aqz9n932tjgteywrx5m79s6c64pgkezekjxecu8wpghlmd0ft9ghcl3vsr8s2hsdypje6nne7gpjkplpszh5xtwc2244cerl8uq9wspa9kap949ff9uxg489plddrtyvgy3aehn8zduyf4gad7ysndg2cd5csc98k05phwlgf70q6wq2gzex269huq4kuzystnwymw4fq4pp5wmz2vveqp323299fj75m673nhq04rh6jcfyruuqwmy43jl2jg4xm2f6dpx7d03ktj8pr8xykj5pmhcrvv4nfkfafc2m5g3s8wsazxl7rjf0s333zac2m5cdnqtem9gnhhnp3kyz4u2pzrdcmr6lrjz5kzgn4sj6pvju7ujs9f7fypxerdg2zu9k0xatszyd6845mjs23t3lv5svjqa4wjz2fh6mrvwwkzljnzplpje6l64tkavz354wdzcnhtja4cspf2ar6jvz6w8kfjy2ysuq3ly9h4htszgu9zu4lga4lz5v7gdskahrs2rruyd855w2u6yfg2wusxlvyum6qdrk0jfsfc4nqr32t47t5ky36tc29smsp27yv557fraydh4a00aw2ykt8gkl2wwsqy83fj62rdst0c6ylpdgynf3snxkwc2fc6y7hxgfapcs6lgaj5w794rx7s6t9ns9a4t8mrww4xu9x4amh +``` + +age 1.3.0 or later is required for the post-quantum recipient key support. Alternatively, an age plugin can support post-quantum recipients with previous versions of age. See the [age 1.3.0 release notes](https://github.com/FiloSottile/age/releases/tag/v1.3.0) for details. + +
+Previous Keys + +The following are previous keys that were used for reports. To my knowledge, they are not compromised however are no longer used. The values exist her for posterity. + ```plain age1jns778dpwkxta0e6tjv3345jy6dfr8a8mq9xznge7muyz6nu0v5sg7x6wn ``` +
+ E-mail responses and handling will be slower than using the GitHub provided mechanism. From 147e9311d289f9a8f324090188f596e6b9f0104b Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Sun, 28 Dec 2025 15:57:39 -0500 Subject: [PATCH 2/2] Run on markdown changes to keep CI happy. --- .github/workflows/pr.yml | 2 -- SECURITY.md | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 79e830e..23ccc45 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,8 +5,6 @@ permissions: on: pull_request: - paths-ignore: - - '**.md' jobs: build: diff --git a/SECURITY.md b/SECURITY.md index 1e5131b..95f9834 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,8 +8,7 @@ AzureSignTool and AzureSign.Core currently only support the latest version. Use ### GitHub -Security issues or vulnerabilities should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in this repository. Additional information is available on the [GitHub Documentation](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). - +Security issues or vulnerabilities should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in this repository. Additional information is available on the [GitHub Documentation](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-secur ### E-mail