self-sigs with weaker hashes

Daniel Kahn Gillmor dkg at
Wed Jan 11 00:58:55 CET 2017

hey all--

please take a look at the behavior of gpg 2.1.17 with key

This is a 3072-bit DSA key with two User IDs.

One of the User IDs has four self-sigs on it, two of which appear to be
SHA1 (gpg produces the error message):

 gpg: DSA key 308B0A7BD8DEC2EC requires a 256 bit or larger hash (hash is SHA1)

The "bad" ones are made between two "good" ones, according to their
timestamps.  From --check-sigs:

sig!3        308B0A7BD8DEC2EC 2015-08-09  ***User ID REDACTED***
sig%3        308B0A7BD8DEC2EC 2015-08-22  [General error] 
sig%3        308B0A7BD8DEC2EC 2015-08-22  [General error] 
sig!3        308B0A7BD8DEC2EC 2016-06-05  ***User ID REDACTED***

Should gpg just ignore or filter out the "bad" self-sigs that it doesn't
think are valid, rather than leaking warnings every time the key is

Even if gpg wants to keep around the "bad" self-sigs, since there is a
more recent self-sig that isn't invalid, shouldn't gpg swallow that
warning?  This seems like a case of noise that is just distracting for
most users, when gpg can figure out the Right Thing to do here anyway.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170110/9af52e8b/attachment.sig>

More information about the Gnupg-devel mailing list