`gpg --compliance=rfc4880 --quick-add-key $fpr rsa sign` fails unnecessarily with "third-party key signatures using the SHA1 algorithm are rejected"
Open, LowPublic
Actions

Assigned To

None

Authored By

	dkg
	Wed, Feb 5, 8:51 PM

Description

0 dkg@bob:~$  gpg --status-file /tmp/gpg.status --batch --passphrase=abc123 --rfc4880 --quick-gen-key "test key"
gpg: revocation certificate stored as '[…]/openpgp-revocs.d/53698702C3BD04D3E28FC4928D3B657E1FCDFE84.rev'
0 dkg@bob:~$ fpr=$(awk '/KEY_CREATED/ { print $4; exit }' < /tmp/gpg.status )
0 dkg@bob:~$ gpg --batch --pinentry-mode=loopback --passphrase=abc123 --rfc4880 --quick-add-key $fpr rsa sign
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: signing failed: Invalid digest algorithm
gpg: make_keysig_packet failed for backsig: Invalid digest algorithm
gpg: Key generation failed: Invalid digest algorithm
gpg: Key not changed so no update needed.
2 dkg@bob:~$

The cause for this seems to be that the default signing algorithm in any compliance mode other than --gnupg or --compliance=de_vs is SHA1. However, all RFC 4880 implementations in the past decade do support SHA256, so it would make sense to just produce a SHA256 backsig here.

Details

Version: 2.4.7

Event Timeline

dkg created this task.Wed, Feb 5, 8:51 PM

Patch sent to gnupg-devel. I think this can be applied to the 2.4 series as well.

• werner triaged this task as Low priority.Thu, Feb 6, 9:14 AM

`gpg --compliance=rfc4880 --quick-add-key $fpr rsa sign` fails unnecessarily with "third-party key signatures using the SHA1 algorithm are rejected"Open, LowPublicActions

Description

Details

Event Timeline

`gpg --compliance=rfc4880 --quick-add-key $fpr rsa sign` fails unnecessarily with "third-party key signatures using the SHA1 algorithm are rejected"
Open, LowPublic
Actions