[Bug 1288293] Re: GnuPG uses SHA1 for key signatures
Marc Deslauriers
marc.deslauriers at canonical.com
Sat Mar 8 19:57:47 UTC 2014
Thanks for opening this bug.
Please report this issue in the upstream bug tracker:
https://bugs.g10code.com/gnupg/index
Once you've done that, link the upstream bug here. Thanks.
** Changed in: gnupg (Ubuntu)
Status: New => Confirmed
** Changed in: gnupg (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1288293
Title:
GnuPG uses SHA1 for key signatures
Status in “gnupg” package in Ubuntu:
Confirmed
Bug description:
(SHA1 is generally considered broken since 2005!)
Used software:
Kubuntu 13.10 amd64
GnuPG package Version: 1.4.14-1ubuntu2.1 (taken from dpkg --status gnupg),
Reproducing instructions:
Generate two keys using default key parameters:
$ gpg --homedir test --gen-key
$ gpg --homedir test --gen-key
Sign one key with the other:
$ gpg --edit-key name-of-first-key
sign
quit
Dump the signed key:
gpg --homedir test --export name-of-first-key | gpg --homedir test --list-packets
You will now notice that all signatures, and therefore even the self-signatures, use "digest algo 2".
This is SHA1:
http://tools.ietf.org/html/rfc4880#section-9.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1288293/+subscriptions
More information about the foundations-bugs
mailing list