Re: [openpgp] Deprecating SHA1

Jonathan McDowell <> Sat, 24 October 2020 08:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 754053A0B38 for <>; Sat, 24 Oct 2020 01:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a8RZY0KeDlFa for <>; Sat, 24 Oct 2020 01:57:28 -0700 (PDT)
Received: from ( [IPv6:2a00:1098:86:4d:c0ff:ee:15:900d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A7CC3A0B32 for <>; Sat, 24 Oct 2020 01:57:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=the; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject :To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=D39TxNaB/86MFTbCC59cRH6Fhb4SzBQ4N83i9ZNooW4=; b=lOvJf6VWQvKAluCOaUKAkWOuOa 80XCB+SdpS91jetRU2Op1n3On6SOO4iB1QcfMwLyJUiqOpBLD80qwLNut+EdY+r/no6HAX6oR0pnj MIVbF4/HWywpFXgcLdzGFsjmPkAxrDLd71zG3tkGPpe767pytZ+QLJuaYWIhswr82GTx/GSesoVnU 24Fr3GPdOr6aV0pYR0VC3MLCCJMqU+MDZdOPtD5d1zMmcty3rMBTCjbtzKTyEMWJHI6p0HB0CwIId q4jMNt3itDM4WKemUNAqQ2BhuGlyd9zVfG/ezNfxVNBiB86ttR18ZcbSvIQ+KpfWZJFa/15F9eScw xZGR/Ftw==;
Received: from noodles by with local (Exim 4.92) (envelope-from <>) id 1kWFMb-0005Ik-Nm for; Sat, 24 Oct 2020 09:57:25 +0100
Date: Sat, 24 Oct 2020 09:57:25 +0100
From: Jonathan McDowell <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [openpgp] Deprecating SHA1
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Oct 2020 08:57:29 -0000

On Fri, Oct 23, 2020 at 03:23:17PM -0400, Phil Pennock wrote:
> The TLDR for folks using the widespread GnuPG software is that GnuPG
> defaults to protecting you against a new self-sig, but expert-mode makes
> it easy:
>     gpg --expert --cert-digest-algo SHA256 --sign-key $YourKeyId

I'm one of the people with a SHA1 self signature. I've been aware of it
for some time, and it's been on my todo list to sort out, but when I
last tried GPG did not make it possible. What version of GPG is
necessary for the above to work? The somewhat aged versions on the
airgapped machine my master key lives on do not seem to want to update
the type of the self sig with that command.


Chaos, panic, & disorder - my work here is done.