How to "regenerate" a key ?

Sun, 29 Jun 2014 02:01:25 -0700

The page https://help.riseup.net/en/security/message-security/openpgp/best-practices#self-signatures-must-not-use-sha1 explains how to check for deprecated md5 or sha1 signatures:

self-signatures must not use SHA1

You can check this by doing:

gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,'

If you see any ‘digest algo 2’ results printed, then you have some self-signatures that are using SHA1, as digest algo 2 is SHA1. See the OpenPGP


              RFC 4880, section 9.4
            for a table that maps hash algorithms to numbers.

         
        
To fix this, you will need to regenerate a key after
            setting the following in your ~/.gnupg/gpg.conf:

         cert-digest-algo SHA512
and recommends "to regenerate a key".

I do not understand what the authors mean (recreate, i.e. generate a new key?, or add a new self-signature??) and think the present formulation is or can be misleading, because for example the GnuPG Handbook https://www.gnupg.org/gph/en/manual.html is silent about how to "regenerate a key".

Can anyone explain what exactly is meant and perhaps improve the text on the riseup page in the sections regarding the md5 and sha1 self-signatures ?

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to