self-sigs with weaker hashes

Werner Koch wk at gnupg.org
Wed Jan 11 08:19:59 CET 2017


On Wed, 11 Jan 2017 00:58, dkg at fifthhorseman.net said:

> Should gpg just ignore or filter out the "bad" self-sigs that it doesn't
> think are valid, rather than leaking warnings every time the key is
> encountered?

I general I would say yes.  I use --check-sigs to look for such bogus
signatures and thus we would need to add a new --verify-option to allow
printing them.

Or we could try to suppress the 

  gpg: DSA key 308B0A7BD8DEC2EC requires a 256 bit or larger hash (hash is SHA1)

line and output

  sig%3        308B0A7BD8DEC2EC 2015-08-22  [Key requires a 256 bit or
  larger hash (hash is SHA1)] 

However, that  might be larger chage and too late for 2.2.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170111/4b08ed9c/attachment-0001.sig>


More information about the Gnupg-devel mailing list