please change the default hashing algorithm

Andrew Clausen andrew.p.clausen at
Mon Jul 13 11:41:11 CEST 2015

Hi Dan,

On 13 July 2015 at 00:12, Daniel Kahn Gillmor <dkg at> wrote:
> I agree with you that SHA1 should not be the default in 2015 for any
> situation where collision resistance is necessary.
> What version of gpg are you testing?

I initially tried the 1.4.16 and 2.0.22 packages in the latest Ubuntu
long-term supported distribution.

> If you can show the specific workflow you're using that defaults to SHA1,
> that would make it easier for other people to confirm the problem.

I couldn't build the latest versions (Ubuntu's gettext is too old),
but I could build 1.4.18 with:

git clone git://
cd gnupg
git checkout gnupg-1.4.18
CFLAGS=-g ./configure --without-ldap --without-libcurl
--without-libusb --without-mailprog

I tested it by making a test user account, and
gpg --gen-key
echo test > test.txt
gpg --sign test.txt
gpg -v < test.txt

which gives:

gpg: original file name='test.txt'
gpg: Signature made Mon 13 Jul 2015 10:16:53 BST using DSA key ID 73207F13
gpg: using PGP trust model
gpg: Good signature from "test test (test) <test at test>"
gpg: binary signature, digest algorithm SHA1

I had trouble building gpg-2.0.28 (gettext too old) and gpg-2.0.26
(make didn't know how to build audit-event.h).  I can dig deeper if
that helps, but my guess is that this is clear enough...


More information about the Gnupg-devel mailing list