Page MenuHome GnuPG
Create Task
Maniphest T5449

gnupg: Do not use SHA1 by default
Open, LowPublic
Actions

Description

There are still couple of uses of SHA1 by default in gnupg and it is probably a time to get rid of these.

Several of the uses are in the protocols or file formats which will be more complicated to change, but these should be pretty straight-forward.

The DNS part which handles SSHFP records is also quite outdated not listing recent key types and fingerprint formats, but from my reading it is not used for anything. Adding here mostly for completeness.

gnupg-sha1.patch4 KBDownload

Details

Version
master

Event Timeline

Jakuje created this task.May 24 2021, 4:46 PM
werner edited projects, added gnupg (gpg23); removed gnupg.May 25 2021, 12:49 PM
werner triaged this task as Low priority.Jun 29 2021, 3:49 PM
werner added a subscriber: werner.

The original idea with the DNS code was just to source copy it but it turned out that we need to maintain it in GnuPG. Thus adding support for SHA256 makes sense to keep the code current in case we ever need to use it.

The change to PKSIGN is not good because it breaks the API; sorry.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM