Moving away from SHA-1
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Feb 12 09:38:02 CET 2014
On Tue, Feb 11, 2014 at 09:10:32AM +0100,
Per Tunedal <per.tunedal at operamail.com> wrote
a message of 17 lines which said:
> When SHA-1 falls, GnuPG will otherwise be completely broken as
> internal key signatures, as well signatures of public keys from
> others and the fingerprint rely on SHA-1 hashes.
Isn't three different cases? For the fingerprint, it is in the RFC
4880 (section 12.2) and GnuPG cannot change it unilaterally or it
would stop to be OpenPGP-compliant.
For the signatures of public keys from others, you can already put:
cert-digest-algo SHA256
in your gpg.conf.
I don't know why it's not the default but there is certainly a good
reason in the archives mentioned by Peter Lebbing. In the mean time,
you can always migrate yourself.
More information about the Gnupg-users
mailing list