self-sigs with weaker hashes
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 11 00:58:55 CET 2017
hey all--
please take a look at the behavior of gpg 2.1.17 with key
DC418BB65BF51BA86B845A48308B0A7BD8DEC2EC
This is a 3072-bit DSA key with two User IDs.
One of the User IDs has four self-sigs on it, two of which appear to be
SHA1 (gpg produces the error message):
gpg: DSA key 308B0A7BD8DEC2EC requires a 256 bit or larger hash (hash is SHA1)
The "bad" ones are made between two "good" ones, according to their
timestamps. From --check-sigs:
sig!3 308B0A7BD8DEC2EC 2015-08-09 ***User ID REDACTED***
sig%3 308B0A7BD8DEC2EC 2015-08-22 [General error]
sig%3 308B0A7BD8DEC2EC 2015-08-22 [General error]
sig!3 308B0A7BD8DEC2EC 2016-06-05 ***User ID REDACTED***
Should gpg just ignore or filter out the "bad" self-sigs that it doesn't
think are valid, rather than leaking warnings every time the key is
encountered?
Even if gpg wants to keep around the "bad" self-sigs, since there is a
more recent self-sig that isn't invalid, shouldn't gpg swallow that
warning? This seems like a case of noise that is just distracting for
most users, when gpg can figure out the Right Thing to do here anyway.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170110/9af52e8b/attachment.sig>
More information about the Gnupg-devel
mailing list