Page MenuHome GnuPG

add option for SHA256 and SHA512 fingerprint
Closed, ResolvedPublic


Add option to provide SHA256 and SHA512 fingerprints.
Alternatively, extend existing --digest-algo option to change fingerprint output

Probably it would be the best, to provide these in BASE64 instead of HEX format.

gpg --digest-algo SHA256 --fingerprint 0x12345678

Key fingerprint = 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=

Event Timeline

Such fingerprints are not specifed by OpenPGP. It is also questionable whether
this will be used, given that one could also print an 256 bit ECC key directly.
Yeah, that is a bit different than the fingerprint but it raises the importance
of have a standard before coming up with an arbitrary fingerprint scheme.

Sure, a standard for that would be great.

MD5 is pretty much broken for security purposes and I would wonder, if that's
not also true in the context of OpenPGP.

You're probably much closer to the people responsible for the OpenPGP standard.
Are there any efforts to introduce SHA512-BASE64 fingerprints? (or at least SHA256)

SHA512 probably would be the right thing. If someone's too lazy to compare such
a long fingerprint, he can still choose just to compare just one half of it.

MD5 is not used bu OpenPGP. It is allowed for backward compatibility but even
that has been dropped for GnuPG 2.1.

The use of SHA-1 fingerprints is hardwired into OpenPGP and to change this a
complete new key format needs to be specified. In any case the fingerprints
are not a problem right now.

Using Base64 fingerprints are actually a bad idea because they are to hard to
compare for a human.

I'm going to close this. The right forum to address these issues is the OpenPGP
working group.

neal claimed this task.