gnupg 1.4.3 uses SHA1 when preferred Digest is SHA2

David Shaw dshaw at jabberwocky.com
Mon Jun 12 02:36:46 CEST 2006


On Sun, Jun 11, 2006 at 09:46:37PM +0100, Jason Wittlin-Cohen wrote:
> I was playing around with the gnupg command line options and I noticed
> that whenever I signed or encrypted and signed a file, GPG would use
> SHA1 rather than SHA256, which is the preferred digest for my primary key.
> 
> I confirmed that SHA256 was the preferred digest by using "gpg
> --edit-key 2228BC8F" and then did "showpref" which outputted the
> relevant line:
> 
> "Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1"
> 
> Yet, when I encrypt and sign a file with "gpg -esv blah.txt" I see:
> 
> "gpg: RSA/SHA1 signature from: "2228BC8F Jason Wittlin-Cohen
> <jasonwc at brandeis.edu>"
> 
> When I manually specify "gpg -esv --digest-algo SHA256 blah.txt" I see:
> 
> "gpg: RSA/SHA256 signature from: "2228BC8F Jason Wittlin-Cohen
> <jasonwc at brandeis.edu>"
> 
> I can also manually specify SHA384 or SHA512 and Enigmail will use
> SHA256,384, or 512 as well, without complaints.
> 
> Any idea why GPG isn't using my preferred digest unless I manually
> specify it? It does use my preferred cipher (AES-256).

The misunderstanding here is that "showpref" sets preferred algorithms
for outgoing messages.  It doesn't.  The preferences on the key are
used on messages being sent *to* your key.  If you want to set
preferences for outgoing messages, stick something like:

  personal-digest-preferences sha256 sha384 sha512

in your gpg.conf.

David



More information about the Gnupg-users mailing list