How to "activate" gpg.conf entries?

Kristian Fiskerstrand kf at sumptuouscapital.com
Wed Jul 11 16:54:27 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2012-07-11 16:09, Sam Smith wrote:
> I've added the following 3 lines to my gpg.conf file:
> 
> 1) to use stronger hash when supported by others, I added this line
> = *personal-digest-preferences SHA256*
> 
> 2) to use the SHA256 hash when I Sign a message, I added this line 
> =*cert-digest-algo SHA256*

This is not what cert-digest-algo does, I'd recommend removing this
line at all, but;
       --cert-digest-algo name
              Use name as the message digest algorithm  used  when
              signing  a key.  Running  the  program  with the command
              --version yields a list of supported algorithms. Be aware
              that  if  you  choose  an algorithm  that GnuPG supports
              but other OpenPGP implementations do not, then some users
              will not be able to use the  key  signatures you make,
              or quite possibly your entire key.

> 
> 3) to change what is used when a new key is generated I added this
> line = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256
> AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed*


Note that as per RFC4880 this will still not remove SHA1[0: 13.3.2.]
or 3DES[0: 13.2.], as these are appended tacitly to be able to ensure
a matching set between implementations.


> 
> If I am using the wrong command for my intended purpose, please do
> let me know :)
> 
> What procedure should I now do to "activate" or put into effect
> these preferences? Once done, is there a way to verify that these
> preferences are in effect, how can I verify?
> 

Clearsign some text and see what hash it yield?

Also note what has been mentioned regarding the use of 1024 bit DSA
keys, which are limited to the use of 160 bit hash algo. If you wish
to use a non-truncated version of SHA256 and have such a key, you'll
have to propagate to a new one.

[0] http://tools.ietf.org/html/rfc4880



- -- 
- ----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
- ----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJP/ZOjAAoJEBbgz41rC5UI5MMQAJih43IyXYh7BpxOe22PQkJS
xc3F2sRfbyjyWE2trLyNhP+TVGFPeej7rx39wYzgr05VBktN0kavjQ5THWlS6P5T
e6byMSdF0gfveEq8LVu87iDkR9105H9f2exoq+/DJA7DcLJ7DDtKtk6K7UBu2D02
x6Lu7kAx6ixqUVW+QwT/WCSEWhVe8ELOS923AergJl6f0UeUUFnpr+RHdH/gwz2d
ejA77HlVgA85WcF6lkzvIXtmwWnMw/f7kDmOLyggtqIm2xu4C+woU6glyFpeJiym
F0Zuj6IZRv22ZJhWbfiI691SXN+HaV5aZdPi2HwMdM2IF5E5XL82P4zwJgCAPgL/
Amywqdv0nWfJ3nBOY4YuzDmnhiIyvjjOCcJg2/GHBN0flKEJ+47wWTFqQkFGCUCg
RWK8qPJJvihIaVXztyGwSDMqPSBAEBSA4FQ2JGphjDXcBBrBcgd1FpgInXY11ovq
vf4NXSHtp7qkZTRS8xuu6IqomuKsjdHOAWwTbPMGkgw1XrR9UqAnHDuS7AFjVyiZ
nU+gN0Ub6/OhEBID6ANFodEmL/TthpcrlyZK6IxEPrYiOwM64cnIZ0qmhNP0MBBu
2VpQJdMYTbHpIhPvLVdHuuBY/KRaceuhqkUtz8Ut6zGOK0/N260bAW8txfHkZQjH
rVkNcAhTFX/nkqjMHpJy
=t6mT
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list