Confusion with signature digest type.
David Shaw
dshaw at jabberwocky.com
Fri Apr 26 19:28:29 CEST 2013
On Apr 26, 2013, at 12:18 PM, Mason Loring Bliss <mason at blisses.org> wrote:
> On Thu, Apr 25, 2013 at 11:47:49PM -0400, Robert J. Hansen wrote:
>
>> A preimage attack on SHA-1 is my house being on fire: avoiding SHA-1 for
>> self-signatures is making sure to turn off the coffeepot.
>
> While I agree with what you're saying, the big difference between this
> situation and your example is that it's trivially easy for me to say "use
> this digest method instead of this other one" and then forget about it. The
> coffee pot will take care of itself. The question becomes invisible to me as
> soon as I've set the default, and if the effort is so low to do it, I don't
> see any real reason *not* to do it. Security is about nudging up the bar.
>
> Now, that said, I still don't understand why I was seemingly unable to change
> the digest algorithm I'm using for my old key. I'd be grateful if someone
> could enlighten me on that point, as I really want to grasp what was
> happening.
The answer to your question from your original mail is that you're using the "check if SHA-1 is in my preferences" test to instead of the "check if my selfsig is SHA-1" test. The proper test for checking your selfsig from the document you were referencing is:
gpg --export-options export-minimal --export <keyid> | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,'
David
More information about the Gnupg-users
mailing list