Accidentally used SHA1

[Andrew Gallagher]

> On 1 Jul 2016, at 17:45, Cannon <cannon at cannon-ciota.info> wrote:
> 
> I accidentally messed up. Used the wrong gpg.conf when generating a
> signature on a message. The incorrect config was used causing my message
> to be signed using SHA1 instead of SHA512. I did not realize this until
> after message was already irreversibly published.
> 
> Does using SHA1 in past make my key less secure or does this only make
> the signed message more prone to collision instead of key leak?

If someone were able to generate a message which collided with the sha1 hash of this particular message then they could impersonate you to anyone who still regarded sha1 signatures as valid (this last point is an important caveat).

We must be careful to distinguish this from a collision attack though. A hash collision is where you generate lots of hashes and find any two that match. Sha1 is known to be vulnerable to this. But to fake your signature requires a preimage attack, which needs the fake hash to match *this particular* hash. That is a good deal more difficult, and sha1 is believed to be preimage-resistant for the moment.

At some point in the future of course, sha1 will fall. However, all is not lost. Your primary key is not compromised, just this particular signature packet made by this particular signing subkey. If you are sufficiently worried, you can revoke the subkey (thus revoking this signature) and generate a new one. All your previous signatures will be invalidated also, but you can regenerate them with your new subkey if that is an issue. 

A