Why are the signing digest orders in showpref not being used?

Paul Richard Ramer free10pro at gmail.com
Sun Sep 19 23:01:01 CEST 2010


On Wed, 15 Sep 2010 20:18:02 -0700, smu johnson wrote:
> Have I found a bug?  My key pref says SHA256 should be chosen first, so why
> does it use SHA1 instead when I encrypt for that key, and sign also with
> that key?
> 
> If this is not a bug, what is the use of that preference order if it is just
> being ignored in the most basic case?  I realize --digest-algo SHA256 would
> do what I want, but I mean... I thought the order of digests in the public
> key preferences was used to prevent me from having to do that.

GnuPG is overriding the digest preferences in your key.  The default is
to require SHA-1.  You have two choices--override the key's digest
preferences or honor those preferences.  To honor a key's digest
preferences, use "--personal-digest-preferences none", or to safely
mandate your preferences, use "--personal-digest-preferences
digest_1,digest_2,digest_3".

If you want to require a certain digest algorithm use
"--personal-digest-preferences" rather than "--digest-algo", because if
you use "--digest-algo", you could wind up using an algorithm that not
all of your recipients can use.  GnuPG will choose a digest that all
recipients can handle if you use "--personal-digest-preferences".  The
manual for GnuPG provides the following explanation of
"--personal-digest-preferences" (the *bold* emphasis is added to the
below to indicate which portions of the manual used bold):

*--personal-digest-preferences string*
        Set the list of personal digest preferences to *string*.  Use
        *gpg --version* to get a list of available algorithms, and use
        *none* to set no preference at all.  This allows the user to
        safely  override  the  algorithm chosen by the recipient key
        preferences, as GPG will only select an algorithm that is usable
        by all  recipients.   The  most highly ranked digest algorithm
        in this list is also used when signing without encryption (e.g.
        *--clearsign*  or *--sign*). The default value is SHA-1.


--Paul

--
PGP Key ID: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100919/71acd255/attachment.pgp>


More information about the Gnupg-devel mailing list