On 2020-11-17 at 22:18 -0700, Mark wrote: > Not to ask a stupid question but how can you tell which algorithm your > keys are using and if using SHA1 update them to a more secure one?
With GnuPG, `gpg --list-packets` shows a lot of fine detail, but unless you're familiar with the standards it can be a bit of a slog. If I might be forgiven for mentioning another OpenPGP tool from outside the GnuPG suite which can help here, then Sequioa has an "sq" command with the "inspect" sub-command. Using an old revoked key of mine to demonstrate: -----------------------8< inspect with sequoia >8----------------------- $ gpg --export 0x7C34B4E14CE4F655 | sq inspect -: OpenPGP Certificate. Fingerprint: 1745 1D0F BB5E 88F4 0AC0 08F6 7C34 B4E1 4CE4 F655 Invalid: No binding signature at time 2020-11-18T22:41:24Z Public-key algo: DSA (Digital Signature Algorithm) Public-key size: 1024 bits Creation time: 2001-08-03 17:34:53 UTC UserID: Phil Pennock [censored email address in this list post] Invalid: Policy rejected non-revocation signature (PositiveCertification) because: SHA1 is not considered secure since 2013-01-01T00:00:00Z Bad Signature: [ snip long error which doesn't matter here ] -----------------------8< inspect with sequoia >8----------------------- Here the lack of SHA1 support made the fingerprint invalid, and then it's explicitly called out under the UserID. The other thing to do is to use `gpg --edit-key $YOURKEY` and run `showpref`; it's okay for SHA1 to be _listed_ on the Digest: line, but you also want SHA256 listed. Fine: Digest: SHA256, SHA512, RIPEMD160, SHA1 Not fine: Digest: RIPEMD160, SHA1 With GnuPG: * To fix the preferences, "setpref" in the edit-key menu. * To fix the self-binding: gpg --expert --cert-digest-algo SHA256 --sign-key $YOURKEY There's also the problem of subkey binding signatures. That's a whole other mess, but frankly if you have a key which is worth keeping (it has a good web-of-trust) and you have old subkeys, just go ahead and make new ones with a current version of GnuPG, after you've fixed the self-binding. I _think_, but have not checked, that GnuPG will do the right thing there. Basically, make a subkey for encryption, and a subkey for signing, and call it good. -Phil _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users