updating a key's self-signature

David Shaw dshaw at jabberwocky.com
Wed Jan 4 01:43:01 CET 2006

On Tue, Jan 03, 2006 at 04:32:27PM -0800, vedaal at hush.com wrote:
> i have two keys that i use extensively for e-mailing
> one is a v4 rsa key (my default key), and the other is a v3 rsa key 
> (for those correspondents who insist on or prefer the old key)
> both were signed with md5 when they were generated years ago
> when i try to sign them now, gnupg (1.4.2) prompts me to sign with 
> a dh/dsa test key that is in my keyring, instead of with my default 
> key
> (i tried using updpref sha256 first, which was accepted,
> but still couldn't sign a key with my default key)
> is there any way i can self-sign them with a sha256 sig,
> or sign them with my default key with a sha256 sig
> (if not, can this be a feature request?
> as signature hashing algorithms become less trusted,
> but while the key itself is still trusted,
> wouldn't it make more sense to be able to update the self-sig
> rather than have to generate a new key? )

Yes, but note that it's still possible for someone to get the old
self-sig from a keyserver.

Anyway, do this:

gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid)

GPG will warn you that the key is already signed, but give you the
option to sign anyway.  Remember that if you pick a hash algorithm
that your correspondents don't have, the key will become unusable to
them.  Despite the recent attacks, I'd use SHA-1.

Why did you self-sign a v4 RSA key with MD5 anyway?


More information about the Gnupg-users mailing list