gnupg 1.4.3 uses SHA1 when preferred Digest is SHA2
David Shaw
dshaw at jabberwocky.com
Mon Jun 12 02:36:46 CEST 2006
On Sun, Jun 11, 2006 at 09:46:37PM +0100, Jason Wittlin-Cohen wrote:
> I was playing around with the gnupg command line options and I noticed
> that whenever I signed or encrypted and signed a file, GPG would use
> SHA1 rather than SHA256, which is the preferred digest for my primary key.
>
> I confirmed that SHA256 was the preferred digest by using "gpg
> --edit-key 2228BC8F" and then did "showpref" which outputted the
> relevant line:
>
> "Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1"
>
> Yet, when I encrypt and sign a file with "gpg -esv blah.txt" I see:
>
> "gpg: RSA/SHA1 signature from: "2228BC8F Jason Wittlin-Cohen
> <jasonwc at brandeis.edu>"
>
> When I manually specify "gpg -esv --digest-algo SHA256 blah.txt" I see:
>
> "gpg: RSA/SHA256 signature from: "2228BC8F Jason Wittlin-Cohen
> <jasonwc at brandeis.edu>"
>
> I can also manually specify SHA384 or SHA512 and Enigmail will use
> SHA256,384, or 512 as well, without complaints.
>
> Any idea why GPG isn't using my preferred digest unless I manually
> specify it? It does use my preferred cipher (AES-256).
The misunderstanding here is that "showpref" sets preferred algorithms
for outgoing messages. It doesn't. The preferences on the key are
used on messages being sent *to* your key. If you want to set
preferences for outgoing messages, stick something like:
personal-digest-preferences sha256 sha384 sha512
in your gpg.conf.
David
More information about the Gnupg-users
mailing list