Signature has algorithms
dshaw at jabberwocky.com
Wed Dec 14 17:52:15 CET 2005
On Thu, Dec 08, 2005 at 11:47:42AM +0100, Topas wrote:
> I've seen that one can use different hash algorithms for creating
> signatures. The default is SHA-1 I think, but (and correct me if I'm
> wrong) SHA-512 (or even the "smaller" ones) should be more secure.
> Ok,.. I've seen that one is able to change the used algorithm with the
> "--cert-digest-algo" option. For the primary key I could do the following:
> 1) Set the new algo (gpg.conf or command line).
> 2) Edit the key.
> 2a) Set prefered key server URL.
> 2b) Set some other settings from the primary key self-signature.
> 2c) Set prefered algorithms.
> 3) Delete every new self-signature except the last one (which shuld
> contain all the new settings with the new hash algorithm). (Is this
> possible/resonable, to delete the others?)
> 4) Save the key and be happy.
> But what can I do with the self-sigs from my existing keys? How can I
> recreate them (with the new hash algorithm).
The procedure you give above will put new self signatures on the key.
You can't recreate old ones, but you can delete them. Note that if
you have your key on a keyserver, the old self-sigs will come back
since the keyserver (or really anyone else who has a copy of your
current key) doesn't delete the old self-sigs.
More information about the Gnupg-users