Hello, I ended up recreating the signatures with a complete new setting file gig.conf:
no-emit-version keyid-format 0xlong with-fingerprint list-options show-uid-validity verify-options show-uid-validity keyserver-options no-honor-keyserver-url auto-key-retrieve personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-new-key-algo rsa4096 cert-digest-algo SHA512 digest-algo SHA512 disable-cipher-algo 3DES default-key <somekey> agent-program /usr/local/gnupg-2.4/bin/gpg-agent Cheers Matthias On 24 Aug 2025, at 22:27, Bill Cole wrote: > On 2025-08-24 at 11:19:29 UTC-0400 (Sun, 24 Aug 2025 16:19:29 +0100) > mat via mailmate <[email protected]> > is rumored to have said: > >> Hello, >> >> Since I had to setup my Mac anew I get this warning when I send signed or >> encrypted mail. >> I have to click it away, else I can’t send. >> My keys are all RSA and at 2048 in size. >> Mailmate is: Version 2.0 (6272) >> >> Any idea what might go wrong here? > > Not precisely, as you didn't say whether you are using GPG or S/MIME. > > The SHA* algorithms are "Secure Hashes" which are used to generate > random-looking fixed length "message authentication codes" or "fingerprints" > from arbitrary input data, which cannot be used to regenerate the original > data. Contrary to the name, those "fingerprints" are NOT globally unique, but > they are distinct enough for most uses because generating hash collisions > intentionally is very hard. For SHA1 (which generates 160-bit hashes) there > are enough tricks discovered and enough raw computing power widely available > to make use of SHA1 unsafe in some uses. Both S/MIME certificates and GPG > keys can use SHA1, and it was required for use on "v4" keys (see > https://www.rfc-editor.org/rfc/rfc4880#section-12.2) but has since been > deprecated. Similarly, the x509 certificates issued for S/MIME for many years > used SHA1 but today typically use SHA256 or SHA512. > > The reason this is just a warning that you can click through is that the > "insecurity" of SHA1 is mostly theoretical for the email use case. SHA1 is > used in establishment of trust for keys/certs rather than being used in > encryption, so the theoretical attacks are a bit past (IMNSHO) what one needs > to worry about unless one is a target of a very motivated and well-resourced > attacker. > > I'm not sure if it is still needed, but back when the deprecation of SHA1 was > more recent, I found it helpful to add these lines to ~/.gnupg/gpg.conf: > > > personal-digest-preferences SHA512 SHA384 SHA256 SHA224 > cert-digest-algo SHA512 > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES > CAST5 ZLIB BZIP2 ZIP Uncompressed > > I am no longer entirely sure why (or even whether) I needed all 3 lines, but > I have not had a SHA1 warning in years... > > -- > Bill Cole > [email protected] or [email protected] > (AKA @[email protected] and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > _______________________________________________ > mailmate mailing list > Unsubscribe: https://lists.freron.com/listinfo/mailmate
signature.asc
Description: OpenPGP digital signature
_______________________________________________ mailmate mailing list Unsubscribe: https://lists.freron.com/listinfo/mailmate
