SHA1 depreciation ??
jhudson at cedaron.com
Wed Jun 28 19:35:21 CEST 2017
-----BEGIN PGP SIGNED MESSAGE-----
SHA1 got broken some months ago, but I see no useful move to get rid of using it for even new stuff.
I found some email chains awhile back showing the web of trust collapsing if SHA1 were not used.
I found ubuntu trying to go at removing it alone: https://wiki.ubuntu.com/SecurityTeam/GPGMigration
(mainly talks about changing keys but they are testing SHA2 signatures extensively)
I found out it's really hard to make a key that doesn't say "Digest: ... SHA1" in its attributes.
I found out why the web of trust collapses; public signing defaults to SHA1 unless a command line
option is passed to change it. Editing key preferences on your signing key won't do it.
I'm pretty sure enigmail will sign this message with SHA1 because it doesn't have an option to
select digest and setting whatever on preferences doesn't work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2427 bytes
More information about the Gnupg-users