GnuPG 1.3.4 SHA256 problem?

Joe Vender jvender at owensboro.net
Tue Dec 2 07:39:39 CET 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 > On Mon, Dec 01, 2003 at 11:19:14AM -0600, Joe Vender wrote:

 >> I've compiled the gnupg 1.3.4 code which is on the download
site using
 >> MinGW on windows and am using it on windows. When I set
 >>
 >>  digest-algo SHA256
 >>
 >> in my gpg.conf file, and then try to clearsign (or anything
else), I get
 >> the following:
 >>
 >> "DSA requires the use of 160 bit hash algorithm
 >> clearsign failed: general error"
 >>
 >> If I use SHA1 as the digest-algo, everything seems to work. I
thought
 >> that this version was supposed to have SHA256 read and write
ability.
 >> What am I doing wrong?


 > SHA256 is a 256-bit hash.  As the error says, DSA requires a
160-bit
hash.

 > SHA256 is only useful if you are using RSA.

 > David

After digging some more, I finally figured out what I was doing
wrong. After generating a new RSA key, the SHA256 hash is
working. On point though that I thought was strange behavior
with gpg:

When trying to use the SHA256 hash with a DSA key and trying to
clearsign text consisting of the word "test" in a file, it would
output:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test


and stop, since it couldn't create the signature. Shouldn't
there be some kind of check that the key is using a compatible
hash *before* asking for a passphrase and not even try to output
any text, as above, if the hash won't work? Or, maybe offer a
choice of compatible hashes or an abort before asking for the
passphrase?

It would be very helpful to have the possibility to be able to
enter seperate RSAV4-digest-algo and DSA-Digest-algo choices in
the gpg.conf file. That way, the user could, by default, use the
SHA256 hash if choosing an RSAv4 key and either the SHA1 or
RIPEMD160 if choosing a DSA key, without having to alter the
gpg.conf when going between RSAv4/DSA keys.

When using the SHA256 hash with the DSA key, I was prompted for
a passphrase, which led me to believe that the settings would
work, and the partial output was confusing, since I wasn't aware
that it wouldn't work. When the SHA256 hash is released
(read/write) as part of the next production stable gnupg, new
gpg users will probably make the same mistake trying to use
SHA256 with a DSA key.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.4 (MingW32) - GPGshell v3.00

iQEVAwUBP8yV2rbJL7F1iP7SAQiDUAf6AyuWqsf/xlYA4sICXqvAE0JqHInXTc+J
wRC4LB65d6NgW+Y9I68lN6nXEdZCPwm35RblDXGtqk9B0bvINprikNfbbykTscbb
DCDGrU1hMKnGq8iKfxXDJnnWJs83srW8JYNjzU9TVRpxvnF39RJ8uzEOY5nOwivV
7AbFqhW9gJ1BUBQrY/K1pZ4HGeH4QejDWu1z5wDaIgJgHPePtTPg0LylgkhJ5yDy
bRFZ2MCLY9yCKT/YooDbMaTrRAQFJDAzRh81NEgDzNorGV5rR5t4L883dU67ov1J
1yfPa6PRKs2M4SsEgZ0ST0MTzjj3PQT2JKBIA+abzPChxYVazickzA==
=1zun
-----END PGP SIGNATURE-----




More information about the Gnupg-devel mailing list