SHA1 being used despite public key preferences

Daniel Kahn Gillmor dkg at
Wed Oct 20 19:02:57 CEST 2010

On 10/19/2010 07:01 PM, David Shaw wrote:
> In this particular case of the signing digest, GnuPG does in fact honor the
> preferences of the recipient, but for historical reasons, the only
> that the sender will allow is SHA-1 (thus effectively disabling the
> The reason behind this is that old versions of GnuPG generated keys with a
> standard hash preference of RIPEMD/160 before SHA-1.  When GnuPG got
the ability
> to use that preference to decide which hash to pick, people who were expecting
> SHA-1 suddenly got RIPEMD/160.  In order to not violate the law of
least surprise,
> we stuck a SHA-1 preference in personal-digest-preferences.

Thanks for explaining the historical background, David.  So it sounds
like people had published preferences in their public keys stating a
preference for RIPEMD160 over SHA1, and then they were surprised to get
signed docs that used RIPEMD160?  That strikes me as a strange thing to
be surprised by, given that they presumably would have had to explicitly
change their published digest preferences (e.g. with --edit-key setpref).

Anyway, it looks like the outcome of this decision is documented as the
default for personal-digest-preferences in gpg(1):

>>        --personal-digest-preferences string
>>               Set  the list of personal digest preferences to string.  Use gpg
>>               --version to get a list of available algorithms, and use none to
>>               set  no preference at all.  This allows the user to safely over‐
>>               ride the algorithm chosen by the recipient key  preferences,  as
>>               GPG  will only select an algorithm that is usable by all recipi‐
>>               ents.  The most highly ranked digest algorithm in this  list  is
>>               also  used  when signing without encryption (e.g. --clearsign or
>>               --sign). The default value is SHA-1.

given that the --default-preference-list for GnuPG (that is, the default
for selfcert-published preferences for each newly-created key) now lists
at least one SHA-2 algorithm (SHA-256) ahead of SHA-1, perhaps it would
make more sense for the default --personal-digest-preferences to be
updated to match?

I personally think that the --personal-digest-preferences should default
to the strongest supported algorithm:

 SHA512 SHA384 SHA256 SHA224 SHA1

The current --default-preference-list defaults for digest algorithms are:

 SHA256 SHA1 SHA384 SHA512 SHA224

While i continue to think this sequence of digest algorithms is not the
ideal for --default-preference-list [0], i think it is a better
--personal-digest-preferences than the current default value of "SHA1".

geez, these options are confusing.  I *think* i got all the names
referring to the things i intended in the text above :p



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101020/d9b81d25/attachment.pgp>

More information about the Gnupg-devel mailing list