Page MenuHome GnuPG

gnupg: Do not use SHA1 by default
Open, LowPublic


There are still couple of uses of SHA1 by default in gnupg and it is probably a time to get rid of these.

Several of the uses are in the protocols or file formats which will be more complicated to change, but these should be pretty straight-forward.

The DNS part which handles SSHFP records is also quite outdated not listing recent key types and fingerprint formats, but from my reading it is not used for anything. Adding here mostly for completeness.



Event Timeline

werner added a subscriber: werner.

The original idea with the DNS code was just to source copy it but it turned out that we need to maintain it in GnuPG. Thus adding support for SHA256 makes sense to keep the code current in case we ever need to use it.

The change to PKSIGN is not good because it breaks the API; sorry.