El 07/10/13 23:50, David Shaw escribió:
On Oct 7, 2013, at 6:52 AM, Santiago Vila <sanv...@unex.es> wrote:
Package: gnupg
Version: 1.4.12-7+deb7u1
My current GPG key was created in 2009 and very shortly afterwards I
changed the digest preferences as explained here:
http://www.debian-administration.org/users/dkg/weblog/48
and reuploaded the key to the keyservers with the new preferences, namely:
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Now, if I create a test user in my system, generate a test GPG key
and try to download my key from the keyservers and sign it, I see that
it's still signed using SHA-1:
If I understand properly what you're doing, this is not a bug. The person
issuing a signature is ultimately in charge to select the digest when they make
the signature. While you can set a digest preference on a key, it is merely a
request for people making a signature for your benefit to use a digest that you
like. In GnuPG, the digest preference is consulted only for data signatures,
not key signatures.
Well, it could be not a bug that gpg does not honor digest preferences
for keysigning. Maybe it should, or maybe there should be another set of
preferences for that.
But please note that the *real* problem I'm reporting is that key
signatures are made using SHA-1 by default.
I think this is a disaster. People should not have to modify gpg.conf to
get reasonable defaults. Is SHA-1 a reasonable default for key signing?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
