[PATCH GnuPG] gpg: default digest should be SHA1 only in --rfc2440 or --pgp7
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 5 20:53:38 CET 2025
* g10/main.h (DEFAULT_DIGEST_ALGO): default to SHA256 except for
archaic compliance modes.
--
RFC 4880 specifies the 256-bit variant of SHA2, and any compatible
client in the last 10 years. According to doc/gpg.texi, PGP 8 also
supports SHA 256. There's no clear reason to default to SHA1 for
compatibility with those clients. (RFC 2440 and PGP7 don't support
SHA256, so leave that alone.
GnuPG-bug-id: 7516
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
g10/main.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/main.h b/g10/main.h
index 546a0b5b8..ffed41613 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -41,7 +41,7 @@
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
#endif
-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
+#define DEFAULT_DIGEST_ALGO ((PGP7||RFC2440)? DIGEST_ALGO_SHA1:DIGEST_ALGO_SHA256)
#define DEFAULT_S2K_DIGEST_ALGO DEFAULT_DIGEST_ALGO
#ifdef HAVE_ZIP
# define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
--
2.47.2
More information about the Gnupg-devel
mailing list