Moving away from SHA-1

Stephane Bortzmeyer bortzmeyer at
Wed Feb 12 09:38:02 CET 2014

On Tue, Feb 11, 2014 at 09:10:32AM +0100,
 Per Tunedal <per.tunedal at> wrote 
 a message of 17 lines which said:

> When SHA-1 falls, GnuPG will otherwise be completely broken as
> internal key signatures, as well signatures of public keys from
> others and the fingerprint rely on SHA-1 hashes.

Isn't three different cases? For the fingerprint, it is in the RFC
4880 (section 12.2) and GnuPG cannot change it unilaterally or it
would stop to be OpenPGP-compliant.

For the signatures of public keys from others, you can already put:

cert-digest-algo SHA256

in your gpg.conf.

I don't know why it's not the default but there is certainly a good
reason in the archives mentioned by Peter Lebbing. In the mean time,
you can always migrate yourself.

More information about the Gnupg-users mailing list