why is SHA1 used? How do I get SHA256 to be used?
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jul 10 16:10:12 CEST 2012
> SHA1 is no longer secure.
At the present moment, SHA-1 is just fine. In the fairly near future,
anywhere between six months to a few years, I expect this will change.
But "SHA1 is no longer secure" is factually untrue, at least where
OpenPGP is concerned.
I don't recommend SHA-1 for new signatures, but if you have a choice
between sending a SHA-1 message which your recipient can verify
or a SHA-256 message which your recipient can't, well -- that math's
pretty easy to do. SHA-1 isn't a good choice for new signatures, but
it's a lot better than no signature.
> I'm not going to cater to people using really old versions,
> especially when security is involved.
The good news is that no one's asking you to. You're only being
advised, "don't use --digest-algo SHA256, it's unwise and can break
interoperability. Use --personal-digest-preferences SHA256 instead."
This is the same advice that has been given by the GnuPG developers, by
the Enigmail team, and by many other people within the community. It's
a best-practices thing for GnuPG.
Don't use --digest-algo. Use --personal-digest-preferences. That's all.
More information about the Gnupg-users
mailing list