Use other hash than SHA-1

Simon Ruderich simon at
Sun May 3 14:17:03 CEST 2009

Hash: SHA1

On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
> The short answer is that you can only use a 160-bit hash with your
> default DSA key.  That means SHA-1 or RIPEMD/160.  There is a feature you
> can enable (--enable-dsa2) that will allow you to use a bigger hash -- but
> you can still only use 160 bits worth of it.  So if you use SHA-256,
> you're actually only taking 160 bits worth of it and discarding the rest.
> To truly use all of a larger hash, you need to either use a RSA key or a
> large (not default) DSA key (i.e. generated with --enable-dsa2 switched
> on, and a larger size than 1024 bits selected).
> David


Thanks for your reply. As it looks like SHA-1 is not so secure
anymore I want to switch to something stronger, e.g. SHA-256.
What is best way (for a normal user like me) to do this? The
solution should be as compatible as possible (I think I read
- --enable-dsa2 doesn't work with some clients).

I often read I should stick with the defaults but as SHA-1 has
it's problems I would prefer a "better" hash; and this doesn't
seem to work with the defaults.

- -- 
+ privacy is necessary
+ using
+ public key id: 0x6115F804EFB33229
Version: GnuPG v1.4.9 (GNU/Linux)


More information about the Gnupg-users mailing list