Re: [openpgp] SHA-2 support should be mandatory – change defaults

David Shaw dshaw at
Thu Aug 14 13:23:06 CEST 2014

On Aug 13, 2014, at 3:56 AM, Werner Koch <wk at> wrote:

>> state.  One place that comes to mind is in --gen-revoke.  GPG can
>> import a bare revocation certificate.  No version of PGP can, so there
>> is code to push out a minimal public key before the revocation
>> certificate.  We'd need to add some sort of flag to indicate to
>> include the minimal public key, and that's sort of reinventing --pgp
> That is
>  if (keyblock && (PGP2 || PGP6 || PGP7 || PGP8))
>    {
>      /* Use a minimal pk for PGPx mode, since PGP can't import bare
>         revocation certificates. */
>      rc = export_minimal_pk (out, keyblock, sig, NULL);
> Thus removing PGP2 won't harm.
>> Maybe the answer is to remove the things to generate PGP 2 messages
>> specifically, and leave the other stuff?  That feels a bit messy.
> Actualluy this was my idea.  However, signature verification has some
> kludges for PGP2 and we could consider to remove that too.  IIRC, this
> is not even controlled by an option.

I agree.  But I wasn't clear enough - the "other stuff" I'm referring to above is the (PGP6 || PGP7 || PGP8).  That is, removing --pgp2 and leaving the others.  On second consideration, though, the --pgpX options are at least theoretically OpenPGPish (some more than others!), so having those options stay is reasonable.


More information about the Gnupg-users mailing list