please change the default hashing algorithm
andrew.p.clausen at gmail.com
Mon Jul 13 11:41:11 CEST 2015
On 13 July 2015 at 00:12, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> I agree with you that SHA1 should not be the default in 2015 for any
> situation where collision resistance is necessary.
> What version of gpg are you testing?
I initially tried the 1.4.16 and 2.0.22 packages in the latest Ubuntu
long-term supported distribution.
> If you can show the specific workflow you're using that defaults to SHA1,
> that would make it easier for other people to confirm the problem.
I couldn't build the latest versions (Ubuntu's gettext is too old),
but I could build 1.4.18 with:
git clone git://git.gnupg.org/gnupg.git
git checkout gnupg-1.4.18
CFLAGS=-g ./configure --without-ldap --without-libcurl
I tested it by making a test user account, and
echo test > test.txt
gpg --sign test.txt
gpg -v < test.txt
gpg: original file name='test.txt'
gpg: Signature made Mon 13 Jul 2015 10:16:53 BST using DSA key ID 73207F13
gpg: using PGP trust model
gpg: Good signature from "test test (test) <test at test>"
gpg: binary signature, digest algorithm SHA1
I had trouble building gpg-2.0.28 (gettext too old) and gpg-2.0.26
(make didn't know how to build audit-event.h). I can dig deeper if
that helps, but my guess is that this is clear enough...
More information about the Gnupg-devel