please change the default hashing algorithm

Ben McGinnes ben at adversary.org
Tue Jul 14 20:47:07 CEST 2015


On 15/07/2015 4:23 am, Andrew Clausen wrote:
> Excerpts from Ben McGinnes's message of 2015-07-14 18:47:45 +0100:
>>> gpg: original file name='test.txt'
>>> test
>>> gpg: Signature made Mon 13 Jul 2015 10:16:53 BST using DSA key ID 73207F13
>>> gpg: using PGP trust model
>>> gpg: Good signature from "test test (test) <test at test>"
>>> gpg: binary signature, digest algorithm SHA1
>>>
>>> I had trouble building gpg-2.0.28 (gettext too old) and gpg-2.0.26
>>> (make didn't know how to build audit-event.h).  I can dig deeper if
>>> that helps, but my guess is that this is clear enough...
>>
>> That can be fixed with the digest preferences.
> 
> It's kind of you to offer your help, but my email wasn't a request for support.
> I was requesting that GPG be modified so that it doesn't use insecure hashing
> algorithms by default.  It seems that "modern" GPG does this, but not "classic"
> GPG, which I believe is more popular.

Ah, classic, if the concern pertains to the majority of end users that
will be effectively neutralised when the switch to ECC forces them off
classic and onto modern.  If the concern is the remaining systems
which continue to use classic due to ease of automation or integration
with other APIs or systems (e.g. package managers), then leveraging
modern via GPGME is probably the best way to go.

Changing the default preferences can probably be done, but I'll wait
for Werner to return from his holiday and comment on that.  Also,
there may be an additional complication with regards to the digest
used with the self-signature packet during key creation.  I just
double-checked another key I made earlier this year which definitely
had SHA512 as the preferred first choice hash in gpg.conf during key
creation and it still has SHA1 in the self signatures.  It was also
generated with classic due to the key size (I was doing silly things
to prove a point elsewhere).


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150715/366940df/attachment.sig>


More information about the Gnupg-devel mailing list