Displaying signature algorithms when doing --check-sigs, disabling algorithms for web of trust.
zirconiumnzinc at gmail.com
Mon May 16 17:43:36 CEST 2011
On Mon, May 16, 2011 at 11:30 AM, Werner Koch <wk at gnupg.org> wrote:
> On Sat, 14 May 2011 22:42, zirconiumnzinc at gmail.com said:
>> Werner if you read this thread please reply. Thanks.
> I don't understand the context, what was your question? How to disable a
> certain algorithm? (--disable-cipher NAME).
> I recall that there was a long thread abouth something with signature
> algorithms; I didn't followed that one.
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Hi Werner, thanks for replying. I will cite myself:
Is there a way to display hash algorithms along with public key
algoritms (and its lenght) of signatures when issuing "--check-sigs"
(or check in the "--edit-key" shell)?
I also would like to know if there is a way to force that GPG will not
accept signatures made with a certain hash or public key algorithms,
when calculating validity of keys trough web of trust? In the case of
public key it should be possible to specify key length.
I didnt have luck finding answers to my questions in documentation,
only a partial solution to my second question:
There is an option "disable-pubkey-algo" that will totally disable
choosen public key algoritm, however it only works after doing
--check-trustdb with that option, otherwise it still accepts key
signatures (certifications) made with disabled algorithm, as a valid
signatures (for example when calculating key validity, or when doing
"--check-sigs"). It can create problems when changing from
"trust-model pgp" to "trust-model direct", beacuse as GPG says, there
is "no need for a trustdb check with `direct' trust model". But is
that really true that that there is no need for trustdb check? Im not
sure, but GPG doesnt allow that.
So while "disable-pubkey-algo" can be used to disable signatures made
with certain public key algorithm when calculating validity of keys
trough web of trust, there is no way to specify key length. Also there
is no such option for hash algorithms. No "disable-hash-algo" or
"disable-cert-digest-algo" or anything like that.
More information about the Gnupg-users