Confusion with signature digest type.

David Shaw dshaw at
Fri Apr 26 19:28:29 CEST 2013

On Apr 26, 2013, at 12:18 PM, Mason Loring Bliss <mason at> wrote:

> On Thu, Apr 25, 2013 at 11:47:49PM -0400, Robert J. Hansen wrote:
>> A preimage attack on SHA-1 is my house being on fire: avoiding SHA-1 for
>> self-signatures is making sure to turn off the coffeepot.
> While I agree with what you're saying, the big difference between this
> situation and your example is that it's trivially easy for me to say "use
> this digest method instead of this other one" and then forget about it. The
> coffee pot will take care of itself. The question becomes invisible to me as
> soon as I've set the default, and if the effort is so low to do it, I don't
> see any real reason *not* to do it. Security is about nudging up the bar.
> Now, that said, I still don't understand why I was seemingly unable to change
> the digest algorithm I'm using for my old key. I'd be grateful if someone
> could enlighten me on that point, as I really want to grasp what was
> happening.

The answer to your question from your original mail is that you're using the "check if SHA-1 is in my preferences" test to instead of the "check if my selfsig is SHA-1" test.  The proper test for checking your selfsig from the document you were referencing is:

  gpg --export-options export-minimal --export <keyid> | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,'


More information about the Gnupg-users mailing list