Confusion with signature digest type.

Mason Loring Bliss mason at blisses.org
Fri Apr 26 03:13:12 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all.

I've been reading some "best practises" documents, and it was suggested that
I not use SHA-1 as my self-signature digest algorithm:

https://we.riseup.net/debian/openpgp-best-practices#self-signatures-must-not-use-sha1

This says, "To fix this, you will need to regenerate a key after setting the
following in your ~/.gnupg/gpg.conf" and then tells me to set something
beefier.

What I cannot figure out is how to remove my signature from my key and
re-sign it with the new digest algorithm. I delete my signature, or at least
I think I do, and it lets me sign my key again, but when I check using their
suggested pipeline:

gpg --export-options export-minimal --export <keyid> | gpg --list-packets | grep 'pref-hash-algos'

...I see algorithm 2 still there.

My understanding is that I have a key pair, and I sign it by unlocking the
secret half, and the signature is distinct from the key pair, so I should be
able to generate a new signature with a different digest algorithm. But
clearly that's not happening, so either my method is wrong or my under-
standing of something is wrong, and I'd be grateful for help either way.

I created a new key, and the new key seems to have done the right thing, but
it really seems as thought I'd ought to have been able to convert my old
key's signature.

Thanks in advance for clues!

- -- 
Mason Loring Bliss  <--------->  mason at blisses.org
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRedSoAAoJEJ6yV3B27yVVsMgQAMipIix9PAXP+GkLhRo8+8Gf
7w8G6vX5rflB1HWpCs7CFMkn2hXtocnWTmFyInHZDwrcVk+j4UKu+JXHD2XMIURZ
L8qekUGLj6IA0GZORfjZErGG6p5R5iFKET3qTqzMoshox4C+uu2zv3WU+Cd1okZr
3E4XEQ3OXbgAUJBJZiL+eXOQxRUX6RNTKxIk7YMqrxPtjLYkpA/8ayLa7qOq4w9m
JAjARQybz9EBlA8k4hYX4978XXloQuR/oyB52bT+3pgeVfu+kuvaGXcow4uV4qTv
Nv7rD7jhxHxlFov8VRKPJ+PuiybTqGhT+8RfAj/ZriDXFOnLNonYKU6TqTGTVjWC
DDRQwDUr4mvRKjoaTBT31NXqLbJ+jsSMR/ujaChnOuu6KW0vQpOXo5cHshVfR3YA
GV+am0yLt7Twh7RNnk/aLIH2D8OKp07rk4azZRR36Ksnq/fvHwV19h4BYAI1iN6i
xXlRJvMjOgsLPjYo5rtsgAAFesX/eR1fhAuYvtVAqD/UdOj+xHVU8T06wut4i5+S
GbjZsRKsB92smONhqxWB0YBxqjXQ+9XCzSVtnl4xFLSsVl/YT3y/wd5t9ofgLTyg
P1LspDY14CxTa6EYPozrm4113IMplhXyKiCMm5SADkJ5o46IGaK/pN6stnuwQwZ5
fZjnEzYR6wT7f+Pyiz5g
=ScVO
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list