--digest-algo (feature request)

David Shaw dshaw at jabberwocky.com
Fri Jul 16 14:18:18 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 15, 2004 at 01:42:52AM -0400, Atom 'Smasher' wrote:
> if i set "digest-algo" to "SHA256" and try to sign something with a DSS 
> key, it fails (after typing a password, which makes it even more 
> annoying).
> 
> should signing with a DSS key ignore --digest-algo (and always use SHA1)??
> 
> is there (or should there be) a better way to match larger hashes with 
> larger (non-DSS) signing keys?
> 
> if i have a 4096 RSA primary key and a DSS subkey (oh, wait a minute, i 
> *do* have that ;) should there be a way to specify (in the configuration 
> file) that i want to use a larger hash if i'm signing with my 4096 RSA 
> key, while not causing problems for my DSS key?

  personal-digest-preferences sha256 sha1

That means "use SHA256 if possible, SHA1 otherwise".  Actually, you
could even leave off the "sha1" and it would still work since SHA1 is
the default algorithm.  This list of preferences also comes into play
when you sign and encrypt a message to other people: only algorithms
on this list are considered, and ranked in that order.

Note that this is only a 1.3.x feature.

> what if i generate a 2048 RSA signing subkey... let's say i want to 
> specify (in my config) that i want to use SHA-512 if i'm signing something 
> with my 4096 key; and SHA-256 if i'm signing something with a 2048 key... 
> and of course, DSS still needs SHA-1.

That isn't possible with the current system.  GnuPG will pick the
first algorithm that is possible to use, so both RSA keys would pick
the highest ranked digest.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)

iGoEARECACoFAkD3x4ojGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h
c2MACgkQ4mZch0nhy8k8kACfWtrVwW/3OKqFXEgfCAYVD3oAY2gAn1uUwceuWpyD
wrl50fhj4BKtKGm+
=fqCw
-----END PGP SIGNATURE-----



More information about the Gnupg-devel mailing list