v1.4: How to check user ID-binding hash with `gpg --list-packets`?

Werner Koch wk at gnupg.org
Mon Nov 4 09:47:49 CET 2024 

Hi!

On Sat,  2 Nov 2024 17:52, Nutchanon Wetchasit said:

> from its default value to "SHA512". [1] And now, I would like to use
> one of these in actual encrypted correspondences, but I'm not sure which one
> was actually generated after the config change. I have also used one of them

That is easy.  Given that your key is older than 2019 we won't reject
keys with SHA-1 key signatures.  However, you can enforce this and also
any other crypto use of SHA-1 by adding

  weak-digest SHA1

to your gpg.conf.


>   > :signature packet: algo 1, keyid F1D9FE7298C60B03
>   >         version 4, created 1619409428, md5len 0, sigclass 0x13
>   >         digest algo 2, begin of digest 54 a3
>
>   ^ But does the "digest algo 2" really mean the same thing as
>     what's so-called "H2" in the `pref` command output of
>     `gpg --edit-key` shell?

Right, 2 is SHA1.  H2 means hash algo number 2.

    DIGEST_ALGO_MD5         =  1,
    DIGEST_ALGO_SHA1        =  2,
    DIGEST_ALGO_RMD160      =  3,
    /* 4, 5, 6, and 7 are reserved. */
    DIGEST_ALGO_SHA256      =  8,
    DIGEST_ALGO_SHA384      =  9,
    DIGEST_ALGO_SHA512      = 10,
    DIGEST_ALGO_SHA224      = 11,

> As far as I understand, the information I'm looking for is considered
> under-the-hood and isn't available directly from interactive

Right.  However, you can do some tricks with --list-filter to filter out
certain packets.

> [1] As far as I understand, GPG classic uses SHA-1 hash for user ID binding
>     signature unless configured otherwise. With SHA-1 being considered dodgy
>     for security use, I proceeded to change that setting (and associated

Yes.  You may however create a new binding signature which will then use
SHA256.  For example by changing the expiration date.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241104/1fa54b43/attachment.sig>

More information about the Gnupg-users mailing list