GPG: Error on sign-key with compliance de-vs because of SHA-1 usage
Open, HighPublic


It was reported to me that some users always get an error when trying to sign a key through Kleopatra in VS-NfD mode.

There error turns out to be:

gpg: digest algorithm 'SHA1' may not be used in --compliance=de-vs mode
gpg: signing failed: Invalid digest algorithm

I would prefer it if GnuPG automatically would select a compliant cert-digest-algo instead of failing.
Alternatively we need to add "cert-digest-algo SHA256" to the vsnfd.prf


werner added a comment.Mon, May 6, 1:41 PM

The digest algorithm used is computed based on the preferences in the key if encryption is also used. Thus this should always work and any decent key has sha256 in its preferences. In case sha1 has a higher precedence, as seen on old keys, --personal-digest-preferences can be used to prefer sha256. However, it is way better to fix the key. The easisies way to do that is to change the expiration date - then the new standard preferences will be used.