[PATCH] Make update_keysig_packet honour cert-digest-algo

David Shaw dshaw at jabberwocky.com
Tue May 12 19:27:15 CEST 2009


On May 12, 2009, at 12:51 PM, Daniel Kahn Gillmor wrote:

> If gpg wants its generated self-signatures to be acceptable to members
> of both of these sets, it must issue two signatures (one over each
> digest).  You cannot issue two self-sigs like this in gpg right now
> without the --expert option, which indicates that it's probably the
> wrong way to do things.

I do understand what you are asking for.  I just disagree that it is  
warranted for SHA-1 at this time.  This is not a perfect world where  
as soon as there was a question even asked about an algorithm, we  
could just shove it aside and use something else.  This is a very  
messy world where the vast majority of users don't upgrade, don't use  
the latest algorithms, and don't even understand the problem.

There are tools within GPG to accomplish what you want to do today.   
It may not be as neat as a new feature, but you, nor anyone else who  
feels the need to do this, are not being blocked for lack of this  
feature.

Again, if we were in the position of changing digest hashes more often  
than once a decade, I might feel differently about some spiffy new  
feature to automate it, but this is the first time it's been necessary  
since 1997.

David




More information about the Gnupg-devel mailing list