On 2025-08-24 at 11:19:29 UTC-0400 (Sun, 24 Aug 2025 16:19:29 +0100)
mat via mailmate <mailmate@lists.freron.com>
is rumored to have said:
Hello,
Since I had to setup my Mac anew I get this warning when I send signed
or encrypted mail.
I have to click it away, else I can’t send.
My keys are all RSA and at 2048 in size.
Mailmate is: Version 2.0 (6272)
Any idea what might go wrong here?
Not precisely, as you didn't say whether you are using GPG or S/MIME.
The SHA* algorithms are "Secure Hashes" which are used to generate
random-looking fixed length "message authentication codes" or
"fingerprints" from arbitrary input data, which cannot be used to
regenerate the original data. Contrary to the name, those "fingerprints"
are NOT globally unique, but they are distinct enough for most uses
because generating hash collisions intentionally is very hard. For SHA1
(which generates 160-bit hashes) there are enough tricks discovered and
enough raw computing power widely available to make use of SHA1 unsafe
in some uses. Both S/MIME certificates and GPG keys can use SHA1, and it
was required for use on "v4" keys (see
https://www.rfc-editor.org/rfc/rfc4880#section-12.2) but has since been
deprecated. Similarly, the x509 certificates issued for S/MIME for many
years used SHA1 but today typically use SHA256 or SHA512.
The reason this is just a warning that you can click through is that the
"insecurity" of SHA1 is mostly theoretical for the email use case. SHA1
is used in establishment of trust for keys/certs rather than being used
in encryption, so the theoretical attacks are a bit past (IMNSHO) what
one needs to worry about unless one is a target of a very motivated and
well-resourced attacker.
I'm not sure if it is still needed, but back when the deprecation of
SHA1 was more recent, I found it helpful to add these lines to
~/.gnupg/gpg.conf:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
I am no longer entirely sure why (or even whether) I needed all 3 lines,
but I have not had a SHA1 warning in years...
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailmate mailing list
Unsubscribe: https://lists.freron.com/listinfo/mailmate
