restrict the set of accepted digest algorithms

lists-gnupgdev at lists-gnupgdev at
Tue Feb 10 17:37:52 CET 2015

Am Tue, 10 Feb 2015 17:09:48 +0100
schrieb HW42 <hw42 at>:

> Hauke Laging:
> > Am Di 10.02.2015, 03:45:31 schrieb HW42:
> > 
> >> is there an option to restrict the set of "accepted" (see below)
> >> set of digest algorithms (after searching the man page I don't
> >> think so)?
> > 
> > That is not possible (in the general case and the one you are
> > interested in) because the standard required SHA-1 to be accepted.
> So you have a policy to not include options which can violate the
> OpenPGP standard?

I dont wanted to say anything, but as it is repeatet here: this is not
at all helpfull. If an outdated standard demands a security level which
is not acceptable for a local application, there is really no use in
enforcing it.

I think this (quite widespread) attitude is one of the reasons GnuPG is
less often used than it would be possible. (I am speaking about a
social phenomen here).

And yes it is good to ensure everybody who wants to communicate on the
internet adhers to a common standard. (at least as long as the standard
is reasonable current, which in case of OpenPGP becomes less and less
true - think of missing curve support, of missing high-security
profiles, of missing segmented encryption (for streaming authenticated
usecases), missing EtM (instead of esoteric modes) or Curve25519/41417).

But there are a lot of locally governed use cases where PGP format is
used but with additional restrictions or extensions (I actually
suspect such things (distribution file signing, file transfer
applications) are more commonly used than email encryption).

And most of those users are quite happy to define "we
diverge from a standard which has not the right baseline for us". And
switching of a cryptographic primitive without code change is really
not that big of a sin or unusual requirement. (Just take a look on how
long md5 was still in use).


> > But, of course, you are not required to use the exit code for a 
> > decision. Run
> > 
> > gpg -v --status-fd 1 --verify
> > 
> > and check the output for a line starting with "[GNUPG:] VALIDSIG".
> > It if appears then the seventh field after VALIDSIG is the digest
> > algo number. Check that against your set.
> I'm aware of this possibility. It just require much more work than to
> add a cmdline parameter (or set an option in gpg.conf) for the
> software using GnuPG. Especially if I want to check certification
> chains.

More information about the Gnupg-devel mailing list