Can't check signature, DSA key 9C973C92 requires a 256 bit or larger hash

David Shaw dshaw at
Mon Mar 17 16:19:45 CET 2014

On Mar 17, 2014, at 10:39 AM, Daniel Kahn Gillmor <dkg at> wrote:

> On 03/15/2014 03:53 PM, Juha Heljoranta wrote:
>> I am not able to get the gpg to verify a signature.
>> Any advice how to fix this?
>> Or could the key 9C973C92 be invalid/broken?
>> $ mkdir -m 700 newgnupg
>> $ echo foo > zinc-0.2.0.jar
>> $ wget
> This is a signature ostensibly made by a 2048-bit DSA key, made over an
> SHA-1 digest.  DSA keys larger than 1024-bits should generally make
> signatures over stronger digests than SHA-1.
> See section 4.2 of FIPS-186-4
> for similar
> guidance.
> Perhaps the folks who publish zinc need to --enable-dsa2, or to remove
> any mistaken "digest-algo sha1" from their signing routines?  You could
> point them at this thread in the gnupg-users archives if you think it
> would be useful.

It doesn't matter if you specify --digest-algo sha1.  Regardless of the setting of enable-dsa2, it the key wants a 256-bit hash, gpg won't allow you to sign with SHA-1.  There is no way to generate that signature, at least in gpg.


More information about the Gnupg-users mailing list