[Bug 1288293] Re: GnuPG uses SHA1 for key signatures
Seth Arnold
1288293 at bugs.launchpad.net
Wed Mar 5 18:42:29 UTC 2014
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1288293
Title:
GnuPG uses SHA1 for key signatures
Status in “gnupg” package in Ubuntu:
New
Bug description:
(SHA1 is generally considered broken since 2005!)
Used software:
Kubuntu 13.10 amd64
GnuPG package Version: 1.4.14-1ubuntu2.1 (taken from dpkg --status gnupg),
Reproducing instructions:
Generate two keys using default key parameters:
$ gpg --homedir test --gen-key
$ gpg --homedir test --gen-key
Sign one key with the other:
$ gpg --edit-key name-of-first-key
sign
quit
Dump the signed key:
gpg --homedir test --export name-of-first-key | gpg --homedir test --list-packets
You will now notice that all signatures, and therefore even the self-signatures, use "digest algo 2".
This is SHA1:
http://tools.ietf.org/html/rfc4880#section-9.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1288293/+subscriptions
More information about the foundations-bugs
mailing list