SHA1 depreciation ??

Robert J. Hansen rjh at
Thu Jun 29 23:31:35 CEST 2017

> SHA1 got broken some months ago, but I see no useful move to get rid
> of using it for even new stuff.

(a) Not for OpenPGP's uses.  For our uses it's still safe, although we
recommend moving to other, better, hashes as soon as possible.

(b) It's pretty easy to avoid using SHA-1.  There are still a small
number of places where it's mandatory, and this will not change until
the IETF OpenPGP Working Group publishes the v5 key specification.

(c) The IETF OpenPGP WG is working on a new key specification ("v5")
which completely gets rid of SHA-1.

> I found out it's really hard to make a key that doesn't say "Digest:
> ... SHA1" in its attributes.

You found out it's *impossible*.  SHA-1 is a MUST algorithm according to
the RFC.  You cannot get rid of SHA-1 from your key preferences.  Even
if you were to do it, every RFC-conformant OpenPGP application on the
planet would say, "that's odd: let me just append SHA-1 to that", as
they are required to do by the RFC.

> I found out why the web of trust collapses; public signing defaults
> to SHA1 unless a command line option is passed to change it. Editing
> key preferences on your signing key won't do it.

You didn't read the manual.  The preferences attached to your key tell
the world what algorithms you're capable of interoperating with.  GnuPG
never uses them to decide which algorithms to apply to your own traffic.

> I'm pretty sure enigmail will sign this message with SHA1 because it
> doesn't have an option to select digest and setting whatever on
> preferences doesn't work.

Enigmail doesn't sign anything.  GnuPG is what signs things.  Enigmail
just hands your documents to GnuPG for processing.

Check what digest was used to sign this message.  Hint: I'm using Enigmail.

Try adding this lines to your gpg.conf file:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 821 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170629/36b58a85/attachment.sig>

More information about the Gnupg-users mailing list