For a few years, using gpg (GnuPG) 2.0.22 / libgcrypt 1.5.3 from ubuntu-14.04 I signed coworker keys using Preferences: AES256 SHA512 BZIP2 ZLIB ZIP in gpg.conf. I am currently setting up an ubuntu-20.04 workstation with gpg (GnuPG) 2.2.19 / libgcrypt 1.8.5 and it would seem that my config got wiped at some point because the last two keys I signed (several months ago) give the following error when checking sigs on my new workstation:
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected I should point out that I had to add no-self-sigs-only to the keyserver-options as I guess the default workaround to poisoned keys (either in the original source or something debian or ubuntu added) is a scorched earth policy, which is fine but unworkable to our web of trust. I created some test keys to mimic the same situation and did the following to try to fix it: gpg --cert-digest-algo SHA512 --expert --edit-key <key to resign> I deleted my original signature and signed again. Then I pushed the test key to the keyservers and added import-clean to gpg.conf and refreshed the keys from a different test user and it _seems_ to work. Is this a sane fix? Is there a better or more proper fix? Thanks! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users