please change the default hashing algorithm

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 13 01:12:09 CEST 2015


On Sun 2015-07-12 11:47:28 -0400, Andrew Clausen wrote:

> By default, GPG uses the SHA1 hashing algorithm, which has been
> believed to be weak for over 10 years.[1] Is it possible to change the
> default over to SHA256?

I agree with you that SHA1 should not be the default in 2015 for any
situation where collision resistance is necessary.

What version of gpg are you testing?  in the modern branch (testing
version 2.1.6 here) the default is indeed SHA256 for certificate
generation.  Also, there are many places where digest algorithms are
used; maybe you're looking at a different place than i'm looking at?  If
you can show the specific workflow you're using that defaults to SHA1,
that would make it easier for other people to confirm the problem.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150712/9e52fb95/attachment.sig>


More information about the Gnupg-devel mailing list