Page MenuHome GnuPG
Create Task
Maniphest T6433

SHA-1 digest is not considered weak
Open, LowPublic
Actions

Description

The gnupg2 defaults still allow creation and verification of SHA-1 signatures by default. Even though it is still considered too computationally intensive to run a practical attack, it might not be the case in coming years. There is a ground for the disablement of weak digest algorithms with override --allow-weak-digest-algos and MD5 is already considered weak in signatures and not accepted anymore. I think the SHA-1 should follow rather sooner than later, given that we have options to override this using commandline arguments.

Is there some plan to disable SHA-1 signatures by including this in the weak algorithms list in close future?

Details

External Link
https://bugzilla.redhat.com/show_bug.cgi?id=2070722

Event Timeline

Jakuje created this task.Mar 30 2023, 12:00 PM
werner triaged this task as Low priority.Apr 4 2023, 8:53 AM
werner added a subscriber: werner.

No, it would break the verification of too many signatures.

bernhard added a subscriber: bernhard.May 10 2023, 4:57 PM

it would break the verification of too many signatures.

Would it be a better solution to have an option (enabled by default) that disallows the creation of SHA1 signatures, but still allows the verification of them?

bernhard added a comment.Thu, Dec 5, 1:59 PM

https://lists.gnupg.org/pipermail/gnupg-devel/2024-December/035686.html <- is a question to see if the situation has changed meanwhile. (I've send it to the list because the topic affects several things in the application and thus ggoes beyond an issue like this one.)