gpg rejects SHA224 with DSA-2048
Kevin Kammer
mephisto at fastmail.net
Sun Nov 8 04:24:12 CET 2009
On Sat, Nov 07, 2009 at 09:44:23PM -0500
Also sprach Robert J. Hansen:
> Kevin Kammer wrote:
> > If I attempt to create a data signature using a 2048-bit DSA signing
> > key, and the SHA224 hash algorithm, GnuPG complains as follows:
> >
> > ~ $ gpg -u A39CE7E5 --digest-algo H11 -b test.txt
>
> Your key is not on the keyserver network, so that will impair our
> ability to help you out with this.
>
> It appears that your key is actually 14CA0E78. To tell it to use a
> particular subkey, you need to append a "!" to the subkey ID.
> Otherwise, I believe GnuPG's behavior is to look at the certificate that
> subkey belongs to, and use the largest signing subkey on that
> certificate. If you have a 3072-bit signing subkey on 14CA0E78, this
> would explain your problem.
>
> Try:
>
> ~ $ gpg -u A39CE7E5! --digest-algo H11 -b test.txt
>
>
My fault for not including the complete shell output from the command,
but GnuPG does indicate that it is using 2048-bit subkey A39CE7E5.
I had already tried it with "!" just to be sure, but the result was the
same, as is the result of attempting this with a 2048-bit primary key.
Regardless of whether it is a sub-key or a primary, GnuPG just seems to
mandate the use of SHA256 with 2048-bit DSA. This is not necessarily a
bad thing, but it is not "by the book," so I am trying to ascertain why.
More information about the Gnupg-users
mailing list