Can't check signature, DSA key 9C973C92 requires a 256 bit or larger hash
David Shaw
dshaw at jabberwocky.com
Mon Mar 17 16:19:45 CET 2014
On Mar 17, 2014, at 10:39 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 03/15/2014 03:53 PM, Juha Heljoranta wrote:
>
>> I am not able to get the gpg to verify a signature.
>>
>> Any advice how to fix this?
>> Or could the key 9C973C92 be invalid/broken?
>>
>>
>> $ mkdir -m 700 newgnupg
>> $ echo foo > zinc-0.2.0.jar
>> $ wget http://repo1.maven.org/maven2/com/typesafe/zinc/zinc/0.2.0/zinc-0.2.0.jar.asc
>
> This is a signature ostensibly made by a 2048-bit DSA key, made over an
> SHA-1 digest. DSA keys larger than 1024-bits should generally make
> signatures over stronger digests than SHA-1.
>
> See section 4.2 of FIPS-186-4
> http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf for similar
> guidance.
>
> Perhaps the folks who publish zinc need to --enable-dsa2, or to remove
> any mistaken "digest-algo sha1" from their signing routines? You could
> point them at this thread in the gnupg-users archives if you think it
> would be useful.
It doesn't matter if you specify --digest-algo sha1. Regardless of the setting of enable-dsa2, it the key wants a 256-bit hash, gpg won't allow you to sign with SHA-1. There is no way to generate that signature, at least in gpg.
David
More information about the Gnupg-users
mailing list