SHA1 depreciation ??

Joshua Hudson jhudson at cedaron.com
Wed Jun 28 19:35:21 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SHA1 got broken some months ago, but I see no useful move to get rid of using it for even new stuff.

I found some email chains awhile back showing the web of trust collapsing if SHA1 were not used.

I found ubuntu trying to go at removing it alone: https://wiki.ubuntu.com/SecurityTeam/GPGMigration
(mainly talks about changing keys but they are testing SHA2 signatures extensively)

I found out it's really hard to make a key that doesn't say "Digest: ... SHA1" in its attributes.

I found out why the web of trust collapses; public signing defaults to SHA1 unless a command line
option is passed to change it. Editing key preferences on your signing key won't do it.

I'm pretty sure enigmail will sign this message with SHA1 because it doesn't have an option to
select digest and setting whatever on preferences doesn't work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iF4EAREIAAYFAllT6MMACgkQE8ihdI6XWvTX1AD/T8oFAb2/TNGkt3Ke8sYSTO9H
wQXh6MqsRajuqF542NUA/2PEajHFahVohQBxQLeUwAZr5G8Kk4q77Nq3mOpwzbfa
=kwi5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8E975AF4.asc
Type: application/pgp-keys
Size: 2427 bytes
Desc: 0x8E975AF4.asc
URL: </pipermail/attachments/20170628/9349e140/attachment.key>


More information about the Gnupg-users mailing list