updating a key's self-signature
David Shaw
dshaw at jabberwocky.com
Wed Jan 4 01:43:01 CET 2006
On Tue, Jan 03, 2006 at 04:32:27PM -0800, vedaal at hush.com wrote:
> i have two keys that i use extensively for e-mailing
>
> one is a v4 rsa key (my default key), and the other is a v3 rsa key
> (for those correspondents who insist on or prefer the old key)
>
> both were signed with md5 when they were generated years ago
>
> when i try to sign them now, gnupg (1.4.2) prompts me to sign with
> a dh/dsa test key that is in my keyring, instead of with my default
> key
>
> (i tried using updpref sha256 first, which was accepted,
> but still couldn't sign a key with my default key)
>
> is there any way i can self-sign them with a sha256 sig,
> or sign them with my default key with a sha256 sig
>
> (if not, can this be a feature request?
>
> as signature hashing algorithms become less trusted,
> but while the key itself is still trusted,
> wouldn't it make more sense to be able to update the self-sig
> rather than have to generate a new key? )
Yes, but note that it's still possible for someone to get the old
self-sig from a keyserver.
Anyway, do this:
gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid)
GPG will warn you that the key is already signed, but give you the
option to sign anyway. Remember that if you pick a hash algorithm
that your correspondents don't have, the key will become unusable to
them. Despite the recent attacks, I'd use SHA-1.
Why did you self-sign a v4 RSA key with MD5 anyway?
David
More information about the Gnupg-users
mailing list