Use other hash than SHA-1

Raimar Sandner mail at
Sat May 2 16:47:07 CEST 2009

On Saturday 02 May 2009 15:45:11 David Shaw wrote:
> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
> > I would like to use a different hash than SHA-1. I tried setting
> > personal-digest-preferences SHA256 in my gpg.conf but it didn't
> > work. What hash can I use with my key (default DSA/Elgamel key)
> > and how?
> The short answer is that you can only use a 160-bit hash with your
> default DSA key.  That means SHA-1 or RIPEMD/160.  There is a feature
> you can enable (--enable-dsa2) that will allow you to use a bigger
> hash -- but you can still only use 160 bits worth of it.  So if you
> use SHA-256, you're actually only taking 160 bits worth of it and
> discarding the rest.
> To truly use all of a larger hash, you need to either use a RSA key or
> a large (not default) DSA key (i.e. generated with --enable-dsa2
> switched on, and a larger size than 1024 bits selected).

SHA256 is included in the default pref list even for a regular DSA key. Is 
that because my own key is not involved when verifying a signature, and gnupg 
could verify a SHA256 hash created by someone with a RSA or DSA2 key?

Is it therefore reasonable to have SHA256 in first place of the key 
preferences, even for a regular DSA key?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20090502/c06588f8/attachment.pgp>

More information about the Gnupg-users mailing list