Page MenuHome GnuPG

gpg-agent should not use MD5 fingerprint for ssh keys
Closed, ResolvedPublic


OpenSSH switched from MD5-based fingerprints to SHA256 ones with OpenSSH 6.8 more than 6 years ago:

The GnuPG already supports the new fingerprints, but still defaults to MD5 so I think it is probably time to switch over.

The following change should do the job. Locally it passes tests for me:

commit 490c8cb8734a74b2f1f85ce6d71381a283e2bb29
Author: Jakub Jelen <>
Date:   Tue May 11 14:24:16 2021 +0200

    agent: Use SHA256 for SSH fingerprints by default
    Signed-off-by: Jakub Jelen <>

diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 8f504191b..2d85c070c 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -869,7 +869,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       memset (opt.disable_daemon, 0, sizeof opt.disable_daemon);
       disable_check_own_socket = 0;
       /* Note: When changing the next line, change also gpgconf_list.  */
-      opt.ssh_fingerprint_digest = GCRY_MD_MD5;
+      opt.ssh_fingerprint_digest = GCRY_MD_SHA256;
       opt.s2k_count = 0;
       set_s2k_calibration_time (0);  /* Set to default.  */
       return 1;

Related Objects

Event Timeline

Frankly, I am pretty sure that the new base64 encoding of the fingerprint leads to less diligent comparison of the fingerprint by the user. I don't understand why they did not used a truncated hex output or zBase32 .

werner claimed this task.