restrict the set of accepted digest algorithms
HW42
hw42 at ipsumj.de
Tue Feb 10 17:09:48 CET 2015
Hauke Laging:
> Am Di 10.02.2015, 03:45:31 schrieb HW42:
>
>> is there an option to restrict the set of "accepted" (see below) set
>> of digest algorithms (after searching the man page I don't think so)?
>
> That is not possible (in the general case and the one you are interested
> in) because the standard required SHA-1 to be accepted.
So you have a policy to not include options which can violate the
OpenPGP standard?
> But, of course, you are not required to use the exit code for a
> decision. Run
>
> gpg -v --status-fd 1 --verify
>
> and check the output for a line starting with "[GNUPG:] VALIDSIG". It if
> appears then the seventh field after VALIDSIG is the digest algo number.
> Check that against your set.
I'm aware of this possibility. It just require much more work than to
add a cmdline parameter (or set an option in gpg.conf) for the software
using GnuPG. Especially if I want to check certification chains.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150210/c8e633ea/attachment-0001.sig>
More information about the Gnupg-devel
mailing list