SHA1 depreciation ??

Joshua Hudson jhudson at
Wed Jun 28 19:35:21 CEST 2017

Hash: SHA256

SHA1 got broken some months ago, but I see no useful move to get rid of using it for even new stuff.

I found some email chains awhile back showing the web of trust collapsing if SHA1 were not used.

I found ubuntu trying to go at removing it alone:
(mainly talks about changing keys but they are testing SHA2 signatures extensively)

I found out it's really hard to make a key that doesn't say "Digest: ... SHA1" in its attributes.

I found out why the web of trust collapses; public signing defaults to SHA1 unless a command line
option is passed to change it. Editing key preferences on your signing key won't do it.

I'm pretty sure enigmail will sign this message with SHA1 because it doesn't have an option to
select digest and setting whatever on preferences doesn't work.
Version: GnuPG v2.0.22 (MingW32)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8E975AF4.asc
Type: application/pgp-keys
Size: 2427 bytes
Desc: 0x8E975AF4.asc
URL: </pipermail/attachments/20170628/9349e140/attachment.key>

More information about the Gnupg-users mailing list