re-issuing subkey binding signatures with alternate digests

Daniel Kahn Gillmor dkg at
Mon May 4 19:23:47 CEST 2009

Does anyone know of a way to coax GnuPG (1 or 2) to re-issue existing
subkey-binding signatures?  I'd like to refresh the signature over an
OpenPGP subkey to include different parameters.  What parameters?  One
example would be to add a usage flag.  Another (more relevant to my
current digest review) would be to change the digest algorithm used on
the subkey binding signature (e.g. to re-issue a subkey-binding
signature that was originally issued with MD5 to a more acceptable digest).

The only way i see to do it is to change the expiration date on the key,
which triggers the creation of a new subkey binding signature, but that
signature does not seem to respect arguments to --digest-algo or
--cert-digest-algo (it seems to currently re-issue the subkey binding
signature with SHA1 no matter what --digest-algo or --cert-digest-algo
is set to (i've tried with SHA512, SHA256, and MD5, all of which appear
to be silently ignored.

Is this intentional?  Am i doing something wrong?  The workflow i've
tested is:

 gpg --digest-algo SHA256 -cert-digest-algo SHA256 edit-key $KEYID
   key 1

and i view the subkey binding signatures with:

 gpg --export --export-options export-minimal "0x${SUBKEYID}!" | \
   gpg --list-packets


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090504/29da4c3a/attachment-0001.pgp>

More information about the Gnupg-devel mailing list