message digest preferences for signing

anon46071152 · September 9, 2013, 7:02pm

Hi there. I’m trying to send signed emails using SHA512 rather than SHA1. My key was originally generated under a Linux OS and is now managed under Kleopatra (it’s RSA/RSA). Running ‘gpg --edit-key, showpref’ in a dos prompt shows SHA512 ahead of SHA1 in the preference order. However if I run ‘gpg --version’ there seems to be a global preference list with MD5 and SHA1 ahead of the SHA2 family. I have therefore tried to a find an equivalent of gpg.conf to change the preferences. I checked C:\Users\name\AppData\Roaming\gnup and the keyring files are there but no conf files. I therefore copied in a gpg.conf broadly based on my Linux template with the following lines included (probably overkill):

default-preference-list SHA512 SHA384 SHA256 SHA224 SHA1 AES256 TWOFISH AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-cipher-preferences AES256 TWOFISH AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed

I also tried situating this file in C:\ProgramData\GNU\etc\gnupg but every time I tried ‘gpg --version’ the hash order stayed the same. I looked at the other directories listed under ‘gpgconf --list-dir’ but it didn’t seem any were appropriate - please correct me if I’m wrong.

I discovered a file called ‘gpgconf-conf.skel’ under C:\ProgramData\GNU\etc\gnupg but this seems more about configuring other configuration tools. Nevertheless I tried using this as a template for a gpg.conf file but no luck. All the conf files I’ve tried inserting, I’ve used both gpg.conf and gpgconf.conf.

Even after all this, if I try to send a signed mail from Scribe, Enigmail or Outlook, SHA1 remains the message digest. It’s because of this consistency across programs that I think it must be some underlying setting for gpg4win. Oh yes, I also tried this with a new key generated under windows (again RSA/RSA).

Any help would be most appreciated and if I’ve missed something completely obvious, apologies in advance.

anon90979041 · September 9, 2013, 7:30pm

Here is what my .conf file says:

###++±-- GPGConf —+++###
utf8-strings
auto-key-locate local
keyserver hkp://pgp.mit.edu
###++±-- GPGConf —+++### 09/09/13 14:14:26 Eastern Daylight Time

GPGConf edited this configuration file.

It will disable options before this marked block, but it will

never change anything below these lines.

personal-cipher-preferences AES256 TWOFISH AES192 AES IDEA CAST5 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1

For me, this accomplishes what you are trying to do. Not sure if the text has to be exactly this way, but it’s worth a try. The file is in the first directory you tried:

C:\Users\Owner\AppData\Roaming\gnupg

Regards,
Sean C.

anon46071152 · September 9, 2013, 9:07pm

Thanks Sean. I tried using that text in the aforementioned directory. I named the file gpg.conf and also tried gpgconf.conf but I’m still hardwired with what I had before. For the record this is:

Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Any other ideas anyone?

anon90140984 · September 9, 2013, 9:44pm

This thread has caused me to think a bit about my own settings. I generally work with the gui’s and I don’t find anywhere to specify personal preferences for cipher, digests or compress. The subject doesn’t appear to be addressed in the Gpg4win compendium either.

I found the gpg.conf file readily enough, and it contains only the utf8, keyserver and autolocate strings plus the comments. Which is reasonable since I have never set anything else.

Where would I find the references about possible settings for the .conf file ?

anon46071152 · September 9, 2013, 10:23pm

If you open a dos prompt and type gpg --help, that gives you an abbreviated list of all the command line options (the second block of commands). If you want to ‘hard wire’ any of these options you enter them into gpg.conf without the initial ‘–’. For example if you wanted to specify a particular ID to sign your mails you would enter: ‘local-user USER-ID’.

It mentions referencing the ‘man page’ for a full list of options but that’s normally a linux or cygwin feature. I have cygwin running on windows which has an extensive gpg.conf file with all the options commented out. I don’t know if all of them are applicable to the win version but in theory they should be. I’ve attach the conf file herewith.

The reason I’m concerned about my initial issue is GNU plus a bunch of Linux distros have made it clear that SHA1 should not be used for signing anymore as it’s not considered safe so I really want to use SHA512 for signatures.

gpg.conf (9.36 KB)