Re-sign subkey binding with changed digest?

Phil Pennock gnupg-users at spodhuis.org
Wed Jan 8 20:01:04 CET 2020


So, this SHA-1 mess is "fun".

To get a fresh self-sig user ID signature on the main key, I can do
this:

  gpg --expert --cert-digest-algo SHA256 --sign-key ${KEYID:?}

The `--expert` overrides the "already signed" safety check, letting you
confirm that yes you really want this.  Alas, it seems that
`--ask-cert-expire` is not enough, it no-ops out.

For sub-key bindings, for encryption keys it's easy: just generate a new
encryption sub-key, let it be signed with a modern hash, and future
messages encrypted to you will just use the new subkey.

For non-encryption subkeys, I'm looking really at signing subkeys: it
seems useful to make sure that existing signatures can continue to be
verified.

How do I re-sign the subkey binding for a [S] signing subkey, to keep
the same key but make the association from the main key be with SHA256
please?

Thanks,
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 996 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200108/f8e9e4f1/attachment.sig>


More information about the Gnupg-users mailing list