[openpgp] SHA-2 support should be mandatory – change defaults

Werner Koch wk at gnupg.org
Wed Aug 13 09:56:33 CEST 2014

On Wed, 13 Aug 2014 05:41, dshaw at jabberwocky.com said:

> How about remove the functions in 2.1, and add a warning (in the docs,
> and perhaps upon use in the code) that the functions will be going
> away in 2.0?  That might be aggressive, but then, 2.1 isn't officially
> released yet, so it's not unreasonable to make a larger change there.
> What do you think?

Fine with me.

> state.  One place that comes to mind is in --gen-revoke.  GPG can
> import a bare revocation certificate.  No version of PGP can, so there
> is code to push out a minimal public key before the revocation
> certificate.  We'd need to add some sort of flag to indicate to
> include the minimal public key, and that's sort of reinventing --pgp

That is

  if (keyblock && (PGP2 || PGP6 || PGP7 || PGP8))
      /* Use a minimal pk for PGPx mode, since PGP can't import bare
         revocation certificates. */
      rc = export_minimal_pk (out, keyblock, sig, NULL);

Thus removing PGP2 won't harm.

> Maybe the answer is to remove the things to generate PGP 2 messages
> specifically, and leave the other stuff?  That feels a bit messy.

Actualluy this was my idea.  However, signature verification has some
kludges for PGP2 and we could consider to remove that too.  IIRC, this
is not even controlled by an option.

> I'd remove them as well.  They're much easier to remove than --pgp2 as they only affect very specific (and few) places in the code.




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list