[Pkg-gnupg-maint] Bug#725679: gnupg: does not seem to honor preferred hash algos list of the key being signed

Santiago Vila sanvila at unex.es
Mon Oct 7 10:52:15 UTC 2013 

Package: gnupg
Version: 1.4.12-7+deb7u1

My current GPG key was created in 2009 and very shortly afterwards I
changed the digest preferences as explained here:

http://www.debian-administration.org/users/dkg/weblog/48

and reuploaded the key to the keyservers with the new preferences, namely:

  Digest: SHA512, SHA384, SHA256, SHA224, SHA1

Now, if I create a test user in my system, generate a test GPG key
and try to download my key from the keyservers and sign it, I see that
it's still signed using SHA-1:

On the test user account:

gpg --export sanvila | gpg --list-packets

says:

:signature packet: algo 1, keyid 402E6FAD3BD8FC61 <=== key for the test user
        version 4, created 1381140424, md5len 0, sigclass 0x10
=====>  digest algo 2, begin of digest a0 67
        hashed subpkt 2 len 4 (sig created 2013-10-07)
        subpkt 16 len 8 (issuer key ID 402E6FAD3BD8FC61)
        data: [2045 bits]

I think there is something fundamentally wrong when keeping the
default gpg.conf untouched leads to signatures still made using SHA-1
and not even the preferences in the key are honored.

Note: I see that changing the preferences and reuploading the key is
implemented by adding another self-signature, in my case I see this:

gpg --list-packets pubring.gpg

:signature packet: algo 1, keyid MYKEYID
        [...]
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        [...]
:signature packet: algo 1, keyid MYKEYID
        [...]
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
        hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
        hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)

Could it be that gpg is completely ignoring the additional signature
having the preferences that I changed and it only sees the first one?

Am I supposed to revoke the first self-signature? I hope not. One would think
that if this preferences thing is implemented by using additional signatures,
then the fact that the new preferences have priority over the old ones should
be somewhat automatic.

BTW: I don't like to inflate severities, so I've used "normal" here,
but if I'm not missing anything and this is a real bug that should be fixed,
I think it would deserve an upload for stable.

Thanks.

More information about the Pkg-gnupg-maint mailing list