On Mar 17, 2014, at 10:39 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
> On 03/15/2014 03:53 PM, Juha Heljoranta wrote: > >> I am not able to get the gpg to verify a signature. >> >> Any advice how to fix this? >> Or could the key 9C973C92 be invalid/broken? >> >> >> $ mkdir -m 700 newgnupg >> $ echo foo > zinc-0.2.0.jar >> $ wget >> http://repo1.maven.org/maven2/com/typesafe/zinc/zinc/0.2.0/zinc-0.2.0.jar.asc > > This is a signature ostensibly made by a 2048-bit DSA key, made over an > SHA-1 digest. DSA keys larger than 1024-bits should generally make > signatures over stronger digests than SHA-1. > > See section 4.2 of FIPS-186-4 > http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf for similar > guidance. > > Perhaps the folks who publish zinc need to --enable-dsa2, or to remove > any mistaken "digest-algo sha1" from their signing routines? You could > point them at this thread in the gnupg-users archives if you think it > would be useful. It doesn't matter if you specify --digest-algo sha1. Regardless of the setting of enable-dsa2, it the key wants a 256-bit hash, gpg won't allow you to sign with SHA-1. There is no way to generate that signature, at least in gpg. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
