Schwer Log

Sometimes I want to view a GPG/PGP public key, but I don’t want to import it into my key ring, so here’s how to just view it:

gpg --with-fingerprint schwer.asc

As noted on slashdot ([1] , [2]) earlier this week; famed cryptologist Bruce Schneier noted in his blog entry that the hashing algorithm SHA-1 had been successfully broken. While the new advances against SHA-1 are computationally feasible they are still quite difficult, however the general recommendation is that people move away from SHA-1 for digital signatures.

Moving away from SHA-1 for digital signatures when using GPG may take a little bit of work since SHA-1 is the default hashing algorithm for digital signatures.

First you will need to upgrade to GnuPG 1.4 if you have not already; this is because the previous versions of GPG lacked support for writing SHA256, SHA384, and SHA512. Unfortunately the package maintainers for many of the Linux distributions have not been keeping up, so finding a GPG 1.4 package may be difficult; even though the announcement for 1.4 states that 1.2 reached its end of life cycle last month. I recommend contacting your distributions GPG package maintainer, and giving them a friendly nudge to keep up to date.

Once you have upgraded you can pass the command line option (or put it in your ~/.gnupg/options file) –digest-algo sha256 (or sha384, or sha512) to sign your messages with the updated hashing algorithm. However if you are like me and chose the default key pair when generating your keys, then you have a DSA signing key and an ElGamal encryption key; which due to limitations in the DSA algorithm means that you will get this error when trying to sign with anything other than a 160 bit hashing algorithm (which SHA-1 is):

gpg: DSA requires the use of a 160 bit hash algorithm

The solution is to generate a subkey. Subkeys are extremely handy for just such a job; when generating a new key pair would mean losing all of the signatures you have worked so hard to gather, but you need a new encrypting (or in this case signing) key.

To generate a new subkey begin by editing your key (–edit-key ‘name’), then choose addkey, and finally choose RSA (sign only). That’s it; now you can use the newer SHAs.

One final note: Enigmail the GPG plugin for Thunderbird does not support SHA256 and above for PGP/MIME. The reasoning behind this decision can be found on this Enigmail mailing list thread.