please change the default hashing algorithm
Andrew Clausen
andrew.p.clausen at gmail.com
Mon Jul 13 11:41:11 CEST 2015
Hi Dan,
On 13 July 2015 at 00:12, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> I agree with you that SHA1 should not be the default in 2015 for any
> situation where collision resistance is necessary.
>
> What version of gpg are you testing?
I initially tried the 1.4.16 and 2.0.22 packages in the latest Ubuntu
long-term supported distribution.
> If you can show the specific workflow you're using that defaults to SHA1,
> that would make it easier for other people to confirm the problem.
I couldn't build the latest versions (Ubuntu's gettext is too old),
but I could build 1.4.18 with:
git clone git://git.gnupg.org/gnupg.git
cd gnupg
git checkout gnupg-1.4.18
./autogen.sh
CFLAGS=-g ./configure --without-ldap --without-libcurl
--without-libusb --without-mailprog
make
I tested it by making a test user account, and
gpg --gen-key
echo test > test.txt
gpg --sign test.txt
gpg -v < test.txt
which gives:
gpg: original file name='test.txt'
test
gpg: Signature made Mon 13 Jul 2015 10:16:53 BST using DSA key ID 73207F13
gpg: using PGP trust model
gpg: Good signature from "test test (test) <test at test>"
gpg: binary signature, digest algorithm SHA1
I had trouble building gpg-2.0.28 (gettext too old) and gpg-2.0.26
(make didn't know how to build audit-event.h). I can dig deeper if
that helps, but my guess is that this is clear enough...
Cheers,
Andrew
More information about the Gnupg-devel
mailing list