[Pkg-gnupg-commit] [gnupg1] 01/04: default digest is now SHA256 (Closes: #824084)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Nov 14 00:06:06 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg1.
commit adc4363e7684a54ecc49031162052690039062f8
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Nov 14 08:00:22 2016 +0900
default digest is now SHA256 (Closes: #824084)
---
...Change-default-digest-algorithm-to-SHA256.patch | 55 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 56 insertions(+)
diff --git a/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch b/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch
new file mode 100644
index 0000000..edceb00
--- /dev/null
+++ b/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch
@@ -0,0 +1,55 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Mon, 14 Nov 2016 07:57:20 +0900
+Subject: gpg: Change default digest algorithm to SHA256
+
+* g10/main.h: set DEFAULT_DIGEST_ALGO to DIGEST_ALGO_SHA256
+
+--
+
+gnupg 2.x defaults to making signatures and certifications with
+sha256, and has for quite some time; i know of no problems with that
+decision today (it's 2016!). We should emulate it in the 1.4.x
+branch.
+
+Debian-Bug-Id: 824084
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/main.h | 2 +-
+ g10/sign.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index a0b96f9..a5500cc 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -38,7 +38,7 @@
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
+ #endif
+
+-#define DEFAULT_DIGEST_ALGO DIGEST_ALGO_SHA1
++#define DEFAULT_DIGEST_ALGO DIGEST_ALGO_SHA256
+ #define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+
+diff --git a/g10/sign.c b/g10/sign.c
+index ed8ac73..81c5452 100644
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -1396,7 +1396,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
+
+ if( !digest_algo )
+ {
+- /* Basically, this means use SHA1 always unless it's a v3 RSA
++ /* Basically, this means use the default digest algo always unless it's a v3 RSA
+ key making a v3 cert (use MD5), or the user specified
+ something (use whatever they said), or it's DSA (use the
+ best match). They still can't pick an inappropriate hash
+@@ -1412,7 +1412,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
+ else if(sk->pubkey_algo==PUBKEY_ALGO_DSA)
+ digest_algo = match_dsa_hash(mpi_get_nbits(sk->skey[1])/8);
+ else
+- digest_algo = DIGEST_ALGO_SHA1;
++ digest_algo = DEFAULT_DIGEST_ALGO;
+ }
+
+ md = md_open( digest_algo, 0 );
diff --git a/debian/patches/series b/debian/patches/series
index 338e33a..eb27e8c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
0003-change-package-name-to-gnupg1.patch
0004-doc-Enable-SOURCE_DATE_EPOCH-for-reproducibility.patch
0005-spelling-correct-achived-to-achieved.patch
+0006-gpg-Change-default-digest-algorithm-to-SHA256.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git
More information about the Pkg-gnupg-commit
mailing list