[Enigmail] How to use different hash from sha-1

Charly Avital shavital at mac.com
Sat Sep 8 06:33:23 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Noiano wrote the following on 9/8/07 10:22 AM:
> Hello everybody
> I am running version 0.95.3 (20070802) and I would use sha-2 for *a
> specified key*. How can I do that?
> 
> I have been browsing all menus and intefaces of enigmail....I found nothing.
> 
> Thanks for your help

Hi,

I believe this a GnuPG issue, not Enigmail's, but here are some suggestions.

1. The specified key that you want to enable SHA2 for should be larger
than 1024 bits. The "standard" or "old style" DSA key (primary) is 1024
bits by default.

2. From gpg man:
- --enable-dsa2

Enables new-style  DSA keys which (unlike the old style) may be
larger than 1024  bit  and  use  hashes  other  than  SHA-1  and
RIPEMD/160.  Note that very few programs currently support these
keys and signatures from them.

3. If the key you want to enable is a standard DSA key, 1024 bits, you
could do the following:
add a signing subkey that is larger than 1024 bits:
- --edit-key [key ID], then add-key (you will be prompted to enter the
key's passphrase
after you enter the correct passphrase, you will be prompted:
Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection?

You should select RSA (sign only)
Select 5, you will be prompted:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
[2048 is quite enough unless you want more...], you are prompted:
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) , if you hit Return from this line you get
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
.+++++

pub  [1024D/primary key ID]  created: [creation date]  expires: never
    usage: SCA
                     trust: ultimate      validity: ultimate
sub  1024g/[subkey]  created: [creation date]  expires: never
usage: E  [means encryption]
sub  2048R/[additional subkey}  created: [creation date of the
additional key]  expires: never       usage: S  [means signing]
[ultimate] (1). Your user ID.

You should also cross-certify (sign) the additional subkey you have just
generated <http://www.gnupg.org/(en)/faq/subkey-cross-certify.html>

Please note that when you try to cross-certify, you might get the
following output:
Command> cross-certify
signing subkey [the added signing subkey's ID] is already cross-certified

I think it depends upon your GnuPG version. I am running 1.4.7, which I
believe cross-certifies the added signing subkey within the process of
generating such a signing subkey.




In your gpg.conf, enable:
- --digest-algo    SHA256

Good luck,
Charly




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRuKkoM3GMi2FW4PvAQhZfAf8DZ8jcviYg4nhxF7Xf93s8N6WGfQfjbyn
7am/p5/Hmuiym+UuH9iYbDCaHKjx4q5Jn4OI5utZ5VMl8QO4DKeG/rH2t3ItFfms
kQ3JO9V2AS3Bs1o5R4st3j7P/1t/SCBiV8GxFrcSsW7K0kR3lKL5zv9QHMIEKBYW
Ub2vIPuLZp+BBJo4IdJdpoImMiba6Ga+tisg4HRaBsojEqZiCOYU9XLx9DOVMz5Q
F6HDVvDIafquu7T0ie3SeuajWcG5eecIQz4VpvfoXRc77gPJGYrT6tdV7RocX5zi
1gtiiGtJheXH7DEl6qBWA2EYX0b0VAuthAeSamJg8Y5OGWG+5MwyNQ==
=PzzW
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list