[PATCH] Make update_keysig_packet honour cert-digest-algo
dshaw at jabberwocky.com
Tue May 12 17:52:56 CEST 2009
On May 12, 2009, at 11:23 AM, J Cruickshanks wrote:
>> gpg --cert-digest-algo the-new-algo -u mykey --edit-key mykey
>> delsig (the old sig)
>> sign (make the new sig)
> The method you have described appears to work successfully. It does
> however have the side effect of wiping away any preferences you
> have set, therefore they need to be set again. I would also assume
> expiry dates and primary UIDs would also have to be set again.
That is correct, yes.
> As I mentioned above, this option would probably only be used once or
> twice depending on the future of cryptography, so we could stick with
> the method you have provided for updating the digest. The only worry I
> have with that approach is the potential for the user to forget to
> reapply their preferences, expiry dates, etc. or getting caught out by
> other side effects that I didn't witness in my quick test. I guess it
> depends on how much usage this option will get as to whether to
> its inclusion, but it would make the process much easier for users who
> do wish to change digest algorithms.
This is exactly my concern - we can put in all sorts of options, but
every option costs something to maintain it over the life of the code,
and costs something to document, and costs something to explain it to
people, and increases the complexity of the system.
If hashes were falling like flies and people were having to update
their keys frequently, I'd probably feel differently about this, but
the SHA-1 problem (which I must mention still hasn't even happened) is
the very first time this situation has come up in OpenPGP. (MD5 was
already deprecated by the time it was broken, and was never the
default signing hash in any OpenPGP application).
More information about the Gnupg-devel