On Jan 17, 2015, at 5:48 PM, Robert J. Hansen <[email protected]> wrote:
> quorra:~ rjh$ grep default-pref .gnupg/gpg.conf > default-preference-list SHA256 RIPEMD160 AES256 CAMELLIA256 TWOFISH 3DES > > > ... As I understand the way algorithms are selected, GnuPG uses the > most-preferred algorithm in my list that is also present in the > recipient's capability set. Since SHA-1 implicitly follows after SHA256 > and RIPEMD160, it has the lowest priority. That's basically how it works for "personal-digest-preferences", but you're showing your "default-preference-list". They're very different. default-preference-list sets the default preferences for new keys and is not part of the digest choice when signing. > By my understanding, GnuPG should start by trying SHA256 and discovering > Raven doesn't advertise that as a capability. It should then try > RIPEMD160 and see Raven advertises that, and thus it should use RIPEMD160. Not in this case. That's a clearsigned message above, and so GnuPG has no way to know who your recipient is. If you were encrypting & signing, it could know based on the recipient key, but there is no "recipient key" for a signed (only) message. Without a recipient, there are no preferences for it to consult beyond stuff (personal-digest-preferences, usually) in your config file. There are a bunch of steps GnuPG follows when selecting a digest for signing without a recipient, but outside of the cases when it is forced to use a particular algorithm (due to DSA size requirements, smartcard capabilities, or the like), the main steps are "If digest-algo is set, use that. Otherwise, if personal-digest-preferences is set, use that. Otherwise, use SHA-1." Do you have a personal-digest-preferences (or even digest-algo) set in your config file? David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
