[Pkg-gnupg-maint] Bug#725679: gnupg: does not seem to honor preferred hash algos list of the key being signed
Santiago Vila
sanvila at unex.es
Tue Oct 8 00:05:38 UTC 2013
El 07/10/13 23:50, David Shaw escribió:
> On Oct 7, 2013, at 6:52 AM, Santiago Vila <sanvila at unex.es> wrote:
>
>> Package: gnupg
>> Version: 1.4.12-7+deb7u1
>>
>> My current GPG key was created in 2009 and very shortly afterwards I
>> changed the digest preferences as explained here:
>>
>> http://www.debian-administration.org/users/dkg/weblog/48
>>
>> and reuploaded the key to the keyservers with the new preferences, namely:
>>
>> Digest: SHA512, SHA384, SHA256, SHA224, SHA1
>>
>> Now, if I create a test user in my system, generate a test GPG key
>> and try to download my key from the keyservers and sign it, I see that
>> it's still signed using SHA-1:
>
> If I understand properly what you're doing, this is not a bug. The person issuing a signature is ultimately in charge to select the digest when they make the signature. While you can set a digest preference on a key, it is merely a request for people making a signature for your benefit to use a digest that you like. In GnuPG, the digest preference is consulted only for data signatures, not key signatures.
Well, it could be not a bug that gpg does not honor digest preferences
for keysigning. Maybe it should, or maybe there should be another set of
preferences for that.
But please note that the *real* problem I'm reporting is that key
signatures are made using SHA-1 by default.
I think this is a disaster. People should not have to modify gpg.conf to
get reasonable defaults. Is SHA-1 a reasonable default for key signing?
More information about the Pkg-gnupg-maint
mailing list