re-issuing subkey binding signatures with alternate digests
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon May 4 19:23:47 CEST 2009
Does anyone know of a way to coax GnuPG (1 or 2) to re-issue existing
subkey-binding signatures? I'd like to refresh the signature over an
OpenPGP subkey to include different parameters. What parameters? One
example would be to add a usage flag. Another (more relevant to my
current digest review) would be to change the digest algorithm used on
the subkey binding signature (e.g. to re-issue a subkey-binding
signature that was originally issued with MD5 to a more acceptable digest).
The only way i see to do it is to change the expiration date on the key,
which triggers the creation of a new subkey binding signature, but that
signature does not seem to respect arguments to --digest-algo or
--cert-digest-algo (it seems to currently re-issue the subkey binding
signature with SHA1 no matter what --digest-algo or --cert-digest-algo
is set to (i've tried with SHA512, SHA256, and MD5, all of which appear
to be silently ignored.
Is this intentional? Am i doing something wrong? The workflow i've
tested is:
gpg --digest-algo SHA256 -cert-digest-algo SHA256 edit-key $KEYID
key 1
expire
1y
save
and i view the subkey binding signatures with:
gpg --export --export-options export-minimal "0x${SUBKEYID}!" | \
gpg --list-packets
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090504/29da4c3a/attachment-0001.pgp>
More information about the Gnupg-devel
mailing list