Hi all! Many people are signing keys with their new stronger keys. This is great. However, please be aware of an issue with caff before you send off your signatures, or you may have to re-do it! If you are not careful you will created your signatures using the SHA-1 hash, while your key should support stronger SHA-2 signature hashes. This is the entire point of transitioning to a new key in the first place, so be sure to set things up to send the SHA-2 signatures instead! This is a common problem, I've already contacted 10 people who have sent me signatures to alert them to the fact that they sent me SHA-1 signatures from a perfectly capable SHA-2 key. It has to do with using caff and not setting their signature preferences properly in a caff-specific gpg.conf file. You probably set your ~/.gnupg/gpg.conf settings properly when you generated your key, but it turns out that caff uses its own ~/.caff/gnupgphome/gpg.conf settings (and some bad defaults if you do not have that file!). There is a debian bug[0] about this issue, and recently Bdale Garbee wrote a blog post about this problem[1] because he ran into it himself. Many people received my signatures twice, it is because I fell for this trap too. To find out if someone has sent you SHA-1 signatures you can do the following: gpg --export <yourkeyid> | gpg --list-packets | less and then doing '/digest algo' to search for that string. Then inspect what number follows. You then cross-reference that number with the section on hash algos in RFC-4880[2]. If you see a 'digest algo 2', that means that the signature packet is SHA-1. Have a look at the keyid that is associated with it (gpg --recv-key <keyid>; gpg --list-keys <keyid>) and if it is a 2048 or greater RSA key, then it is capable of sending SHA-2 algo signatures, and you should contact that person to re-issue. To be sure you send the right SHA-2 capable hash signatures, or to fix the fact that you sent SHA-1 signatures you just need to set the following in your ~/.caff/gnupghome/gpg.conf: cat >> ~/.caff/gnupghome/gpg.conf cert-digest-algo SHA512 personal-digest-preferences SHA512 EOF If you need to resend a signature with a stronger hash algo, then all you need to do after you've set those caff settings is to remove your signature from the user-ids that you sent in the caff keyring: gpg --homedir=~/.caff/gnupghome --secret-keyring ~/.gnupg/secring.gpg \ --no-auto-check-trustdb --trust-model=always --edit-key <keyid> then select my uids (press '1', <enter>, '2', <enter>, etc.) then type 'delsig' and suffer the gpg UI by saying no to all the sigs that are not yours, until you get to yours where you say 'y'. Then 'save'. Now you can resend the signatures, by doing: caff --no-download <keyid> If you have done a number of these, you can do a for loop easily: cd ~/.caff/keys/<date you did the signatures> $ for keyid in `ls | cut -d. -f1 |sort |uniq` do gpg --homedir=~/.caff/gnupghome --secret-keyring ~/.gnupg/secring.gpg \ --no-auto-check-trustdb --trust-model=always --edit-key $keyid caff --no-download $keyid done When people get your new signatures, they can simply import them again, gpg will import the new signatures just fine, new signatures will supersede the old ones (the old ones will remain, but as artifacts, if you look through your signature packets again you will find the old 'digest algo 2' signature from that keyid, then a second signature packet from the same keyid with the newer, stronger digest algo after it. missing the debconf awesome, Micah ps. Thanks to Christoph Egger who pointed out that I did this! pps. can someone get 527944 fixed already? 0. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527944 1. http://www.gag.com/bdale/blog/posts/Strong_Keys.html 2. http://tools.ietf.org/html/rfc4880#section-9.4
Attachment:
signature.asc
Description: Digital signature