How to "activate" gpg.conf entries?

Sam Smith smickson at hotmail.com
Wed Jul 11 17:46:03 CEST 2012


Thanks. The clearsign "test" worked.

What does "cert-digest-algo" do? I read the description in the GnuPG manual and what you quoted, but I still don't understand. Could someone explain to me what cert-digest-algo does and how it differs from digest-algo when placed in gpg.conf?

so "personal-digest-preferences SHA256" will specificy that SHA256 be used for digitally signing my messages, right?

and "default-preference-list" is only used for when user generates a new key, right?



> To: gnupg-users at gnupg.org
> From: kf at sumptuouscapital.com
> Subject: Re: How to "activate" gpg.conf entries?
> Date: Wed, 11 Jul 2012 16:54:27 +0200
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 2012-07-11 16:09, Sam Smith wrote:
> > I've added the following 3 lines to my gpg.conf file:
> > 
> > 1) to use stronger hash when supported by others, I added this line
> > = *personal-digest-preferences SHA256*
> > 
> > 2) to use the SHA256 hash when I Sign a message, I added this line 
> > =*cert-digest-algo SHA256*
> 
> This is not what cert-digest-algo does, I'd recommend removing this
> line at all, but;
>        --cert-digest-algo name
>               Use name as the message digest algorithm  used  when
>               signing  a key.  Running  the  program  with the command
>               --version yields a list of supported algorithms. Be aware
>               that  if  you  choose  an algorithm  that GnuPG supports
>               but other OpenPGP implementations do not, then some users
>               will not be able to use the  key  signatures you make,
>               or quite possibly your entire key.
> 
> > 
> > 3) to change what is used when a new key is generated I added this
> > line = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256
> > AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed*
> 
> 
> Note that as per RFC4880 this will still not remove SHA1[0: 13.3.2.]
> or 3DES[0: 13.2.], as these are appended tacitly to be able to ensure
> a matching set between implementations.
> 
> 
> > 
> > If I am using the wrong command for my intended purpose, please do
> > let me know :)
> > 
> > What procedure should I now do to "activate" or put into effect
> > these preferences? Once done, is there a way to verify that these
> > preferences are in effect, how can I verify?
> > 
> 
> Clearsign some text and see what hash it yield?
> 
> Also note what has been mentioned regarding the use of 1024 bit DSA
> keys, which are limited to the use of 160 bit hash algo. If you wish
> to use a non-truncated version of SHA256 and have such a key, you'll
> have to propagate to a new one.
> 
> [0] http://tools.ietf.org/html/rfc4880
> 
> 
> 
> - -- 
> - ----------------------------
> Kristian Fiskerstrand
> http://www.sumptuouscapital.com
> Twitter: @krifisk
> - ----------------------------
> Corruptissima re publica plurimæ leges
> The greater the degeneration of the republic, the more of its laws
> - ----------------------------
> This email was digitally signed using the OpenPGP
> standard. If you want to read more about this
> The book: Sending Emails - The Safe Way: An
> introduction to OpenPGP security is now
> available in both Amazon Kindle and Paperback
> format at
> http://www.amazon.com/dp/B006RSG1S4/
> - ----------------------------
> Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBCAAGBQJP/ZOjAAoJEBbgz41rC5UI5MMQAJih43IyXYh7BpxOe22PQkJS
> xc3F2sRfbyjyWE2trLyNhP+TVGFPeej7rx39wYzgr05VBktN0kavjQ5THWlS6P5T
> e6byMSdF0gfveEq8LVu87iDkR9105H9f2exoq+/DJA7DcLJ7DDtKtk6K7UBu2D02
> x6Lu7kAx6ixqUVW+QwT/WCSEWhVe8ELOS923AergJl6f0UeUUFnpr+RHdH/gwz2d
> ejA77HlVgA85WcF6lkzvIXtmwWnMw/f7kDmOLyggtqIm2xu4C+woU6glyFpeJiym
> F0Zuj6IZRv22ZJhWbfiI691SXN+HaV5aZdPi2HwMdM2IF5E5XL82P4zwJgCAPgL/
> Amywqdv0nWfJ3nBOY4YuzDmnhiIyvjjOCcJg2/GHBN0flKEJ+47wWTFqQkFGCUCg
> RWK8qPJJvihIaVXztyGwSDMqPSBAEBSA4FQ2JGphjDXcBBrBcgd1FpgInXY11ovq
> vf4NXSHtp7qkZTRS8xuu6IqomuKsjdHOAWwTbPMGkgw1XrR9UqAnHDuS7AFjVyiZ
> nU+gN0Ub6/OhEBID6ANFodEmL/TthpcrlyZK6IxEPrYiOwM64cnIZ0qmhNP0MBBu
> 2VpQJdMYTbHpIhPvLVdHuuBY/KRaceuhqkUtz8Ut6zGOK0/N260bAW8txfHkZQjH
> rVkNcAhTFX/nkqjMHpJy
> =t6mT
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120711/7182091e/attachment.htm>


More information about the Gnupg-users mailing list