[Pkg-gnupg-commit] [gnupg1] 01/04: default digest is now SHA256 (Closes: #824084)

Mon Nov 14 00:06:06 UTC 2016

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg1.

commit adc4363e7684a54ecc49031162052690039062f8
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Mon Nov 14 08:00:22 2016 +0900

    default digest is now SHA256 (Closes: #824084)
---
 ...Change-default-digest-algorithm-to-SHA256.patch | 55 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 56 insertions(+)

diff --git a/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch b/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch
new file mode 100644
index 0000000..edceb00
--- /dev/null
+++ b/debian/patches/0006-gpg-Change-default-digest-algorithm-to-SHA256.patch
@@ -0,0 +1,55 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Mon, 14 Nov 2016 07:57:20 +0900
+Subject: gpg: Change default digest algorithm to SHA256
+
+* g10/main.h: set DEFAULT_DIGEST_ALGO to DIGEST_ALGO_SHA256
+
+--
+
+gnupg 2.x defaults to making signatures and certifications with
+sha256, and has for quite some time; i know of no problems with that
+decision today (it's 2016!).  We should emulate it in the 1.4.x
+branch.
+
+Debian-Bug-Id: 824084
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/main.h | 2 +-
+ g10/sign.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/g10/main.h b/g10/main.h
+index a0b96f9..a5500cc 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -38,7 +38,7 @@
+ # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_3DES
+ #endif
+ 
+-#define DEFAULT_DIGEST_ALGO     DIGEST_ALGO_SHA1
++#define DEFAULT_DIGEST_ALGO     DIGEST_ALGO_SHA256
+ #define DEFAULT_COMPRESS_ALGO   COMPRESS_ALGO_ZIP
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ 
+diff --git a/g10/sign.c b/g10/sign.c
+index ed8ac73..81c5452 100644
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -1396,7 +1396,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
+ 
+     if( !digest_algo )
+       {
+-	/* Basically, this means use SHA1 always unless it's a v3 RSA
++	/* Basically, this means use the default digest algo always unless it's a v3 RSA
+ 	   key making a v3 cert (use MD5), or the user specified
+ 	   something (use whatever they said), or it's DSA (use the
+ 	   best match).  They still can't pick an inappropriate hash
+@@ -1412,7 +1412,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk,
+ 	else if(sk->pubkey_algo==PUBKEY_ALGO_DSA)
+ 	  digest_algo = match_dsa_hash(mpi_get_nbits(sk->skey[1])/8);
+ 	else
+-	  digest_algo = DIGEST_ALGO_SHA1;
++	  digest_algo = DEFAULT_DIGEST_ALGO;
+       }
+ 
+     md = md_open( digest_algo, 0 );
diff --git a/debian/patches/series b/debian/patches/series
index 338e33a..eb27e8c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
 0003-change-package-name-to-gnupg1.patch
 0004-doc-Enable-SOURCE_DATE_EPOCH-for-reproducibility.patch
 0005-spelling-correct-achived-to-achieved.patch
+0006-gpg-Change-default-digest-algorithm-to-SHA256.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git

