algorithm 11 mistake mac

David Shaw dshaw at
Tue Jul 7 23:04:37 CEST 2009

On Jul 7, 2009, at 4:45 PM, Charly Avital wrote:
> According to previous posts and result of tests, it seems that the  
> problem is with GPGMail signing with OpenPGP/MIME *and* SHA224.
> OpenPGP/MIME is set by default when sending a message with an  
> attachment, or a multi-part message (e.g. HTML format).
> You'd better check your gpg.conf, and:
> disable the option digest-algo SHA224
> and use instead:
> digest-algo SHA256

No, never use digest-algo.  It is almost always the wrong answer, and  
causes a lot of pain and breakage in its wake.

He likely doesn't have any digest-algo set anyway - his key is a 2048- 
bit DSA key, which defaults to SHA-224 as its hash.  To override that,  
use "personal-digest-preferences sha256" in the gpg.conf file, but  
note that it may or may not work within gpgmail (it depends on how  
gpgmail picks digests), and also note that it's chopping sha256 down  
to 224 bits to fit.

However you cut it, the proper fix here needs to be in gpgmail.


More information about the Gnupg-users mailing list