[PATCH GnuPG 3/5] gpg: use rsa3072 for legacy compliance modes
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 5 00:46:06 CET 2025
* doc/gpg.texi (default-new-key-algo): Remind the user that this
should come after any compliance modes, like --allow-old-cipher-algos.
--
GnuPG-bug-id: 7511
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
doc/gpg.texi | 3 ++-
g10/gpg.c | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 7a709d170..5572cba7d 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3848,7 +3848,8 @@ generation. The @var{string} is similar to the arguments required for
the command @option{--quick-add-key} but slightly different. You need
to consult the source code to learn the details. Note that the
advanced key generation commands can always be used to specify a key
-algorithm directly.
+algorithm directly. Setting a compliance mode will set or clear this
+flag, so it should only be used after a compliance mode setting.
@item --no-auto-trust-new-key
@opindex no-auto-trust-new-key
diff --git a/g10/gpg.c b/g10/gpg.c
index 994b83b94..e16c92373 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2295,6 +2295,7 @@ set_compliance_option (enum cmd_and_opt_values option)
opt.s2k_digest_algo = 0;
opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO;
opt.flags.allow_old_cipher_algos = 0;
+ opt.def_new_key_algo = NULL;
break;
case oOpenPGP:
@@ -2310,6 +2311,7 @@ set_compliance_option (enum cmd_and_opt_values option)
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
+ opt.def_new_key_algo = "rsa3072/cert,sign+rsa3072/encr";
break;
case oRFC2440:
@@ -2323,6 +2325,7 @@ set_compliance_option (enum cmd_and_opt_values option)
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
+ opt.def_new_key_algo = "rsa3072/cert,sign+rsa3072/encr";
break;
case oPGP7:
--
2.47.2
More information about the Gnupg-devel
mailing list