[PATCH] Make update_keysig_packet honour cert-digest-algo

[David Shaw]

On May 12, 2009, at 11:23 AM, J Cruickshanks wrote:

>> gpg --cert-digest-algo the-new-algo -u mykey --edit-key mykey
>> delsig (the old sig)
>> sign (make the new sig)
>> save
>
> The method you have described appears to work successfully. It does
> however have the side effect of wiping away any preferences you  
> already
> have set, therefore they need to be set again. I would also assume  
> that
> expiry dates and primary UIDs would also have to be set again.

That is correct, yes.

> As I mentioned above, this option would probably only be used once or
> twice depending on the future of cryptography, so we could stick with
> the method you have provided for updating the digest. The only worry I
> have with that approach is the potential for the user to forget to
> reapply their preferences, expiry dates, etc. or getting caught out by
> other side effects that I didn't witness in my quick test. I guess it
> depends on how much usage this option will get as to whether to  
> warrant
> its inclusion, but it would make the process much easier for users who
> do wish to change digest algorithms.

This is exactly my concern - we can put in all sorts of options, but  
every option costs something to maintain it over the life of the code,  
and costs something to document, and costs something to explain it to  
people, and increases the complexity of the system.

If hashes were falling like flies and people were having to update  
their keys frequently, I'd probably feel differently about this, but  
the SHA-1 problem (which I must mention still hasn't even happened) is  
the very first time this situation has come up in OpenPGP.  (MD5 was  
already deprecated by the time it was broken, and was never the  
default signing hash in any OpenPGP application).

David