On 07/20/2010 01:04 AM, Lars Wirzenius wrote: > On ma, 2010-07-19 at 23:37 -0400, Daniel Kahn Gillmor wrote: >> https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#openpgp-key-checks > > From the web page: > > self-signatures must not use MD5 > > You can check this by doing: > > gpg --export-options export-minimal --export <keyid> | gpg > --list-packets |grep -A 2 signature|grep 'digest algo 1,' > > This is not very explicit about what the output should be, or what lack > of output does. I'd extrapolate from the rest of the page and from what > I know about Unix command line use, but I've found gpg to be rather hard > to use right, and even harder to be confident about. indeed. there should be no output for this one to "pass". I'll try to update that page tomorrow with the expected output for the commands, if they're still undocumented. > Is there an actual "gpg lint" kind of tool anywhere? I _think_ I made a > sufficiently good key last year, but I am not certain about it, and it > is possible the above MD5 test is failing. there isn't any openpgplint program that i know of. i proposed one last year on the IETF mailing list, and the proposal met with no objections but little enthusiasm. I'm kind of scattered right now, but hoping to improve the state of the available OpenPGP utilities available in debian. If anyone wants to collaborate on such a tool, i'd be happy to participate. > Failing that, are there instructions for creating a new key? http://keyring.debian.org/creating-key.html hth, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature