un-trusting MD5 in gpg

Werner Koch wk at gnupg.org
Thu May 7 18:41:17 CEST 2009

On Thu,  7 May 2009 17:34, dshaw at jabberwocky.com said:
>   --blacklist-digest-algo (name or number)
>   --no-blacklist-digest-algo (name or number)
> Repeating the blacklist-digest-algo option can be done to add more
> than one algorithm to the blacklist.  no-blacklist-digest-algo can be
> used to remove something from the list.  Whoever gets in last (add to
> the list or remove from the list) wins.


> A blacklisted digest will cause signature verification to fail with an
> appropriate error message along the lines of "digest algorithm is
> blacklisted" (internally, GPG_ERR_BLACKLISTED_DIGEST or the like).

The name of the erro code is too specific.  GPG_ERR_DISABLED_DIGEST is
better; if you like the error message may say "...disabled or blacklisted".

> A key certification created with a blacklisted digest will not be part
> of the web of trust.
> A blacklisted digest will also not be usable when creating a signature/
> certification, with the same sort of error returned.
> This does not affect the use of the digest in things like --print-md.


> gpg --version will flag blacklisted algorithms by putting them in
> [brackets].

Not okay, see my other mail.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list