[Bug 1288293] Re: GnuPG uses SHA1 for key signatures
xor
1288293 at bugs.launchpad.net
Wed Mar 5 21:34:08 UTC 2014
Sorry, there were two glitches in the original instructions:
- You need to generate the GPG home directory before ($ mkdir test), otherwise key generation will fail.
- The "$ gpg --edit-key name-of-first-key" should instead be "$ gpg
--homedir test --local-user name-of-second-key -edit-key name-of-first-
key". I.e. the home directory was not specified, and you need to tell
GPG to use the *second key* for signing the first.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1288293
Title:
GnuPG uses SHA1 for key signatures
Status in “gnupg” package in Ubuntu:
New
Bug description:
(SHA1 is generally considered broken since 2005!)
Used software:
Kubuntu 13.10 amd64
GnuPG package Version: 1.4.14-1ubuntu2.1 (taken from dpkg --status gnupg),
Reproducing instructions:
Generate two keys using default key parameters:
$ gpg --homedir test --gen-key
$ gpg --homedir test --gen-key
Sign one key with the other:
$ gpg --edit-key name-of-first-key
sign
quit
Dump the signed key:
gpg --homedir test --export name-of-first-key | gpg --homedir test --list-packets
You will now notice that all signatures, and therefore even the self-signatures, use "digest algo 2".
This is SHA1:
http://tools.ietf.org/html/rfc4880#section-9.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1288293/+subscriptions
More information about the foundations-bugs
mailing list