Author

Topic: GPG signatures using SHA-512 as default instead of SHA-1 (Read 1356 times)

legendary
Activity: 1974
Merit: 1029
Another gpg 1.4.10 on linux verifies ok here.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
TL;DR
Quote
gpg: Good signature from "David Racho "

Seems to indicate it's valid.

Thanks ralree! I'll be using SHA-512 to sign from now on.
hero member
Activity: 518
Merit: 500
Manateeeeeeees
Code:
hank@joint:~$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Code:
hank@joint:~$ gpg --verify 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Is there any possible problem with using SHA-512 to sign my messages?
Can anyone who has GPG / PGP verify this signature and let me know if it's good.

My public key is here
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x36E4157832AD7565
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBCgAGBQJSaJjBAAoJEDbkFXgyrXVlNNsP/1T5dtLIs5JbIL3yaYuCaIN+
dHSMnfNo126J05mr7OTM4yCWz/3iBqK2aywzqByKItaqr0xxukVlf3OB/ATbGBxt
ylPwO2faXeNT+3IB6yAN48j7KPmAnan+jSibgAZUfXds6AWC3AQDqYkFV17MLanz
iSwVT+InzeNovlQQ2Mim8RHvF4IDHYTXCLtCSmzjzWLCuSy6QcqSbN3tb3O387pL
9f7xDxPzU8X/91JwXhbblj+fCtDGvgNMLauEvWjsMViHnqrR1CyXuato4fX7Tv45
vhZyxbIHS/IaeTZUJWt5gsozB1tMvTJiWX/+2O0M47+QOvh78Oc92YoEzDnk7ryt
0f74ppjux3U8MDSIeMNGu3lsPEX1IR1ED3ypU7KYXHJXqTCIczT+4o+yO4Vl52bT
zYyy+LBGmNh+otklatY+Doi2nW6ibPBhrZhVMrWxdWqZSsKgHLluLQS8xhDAIkuv
MckV8iqNHy94D+0kbY5hixW1sXBkIddVBT3+qjGBUt/GTPPkk6AjnF4NAbyXIH7i
esiC+fu/tOctm8FCKRWumt+mii08Fo4yqscaupcwTGCno26MYZhMvixqRuXdSgxz
nClcjj0nlpBQ2yOu4vQrBySpUEtr16ccK6X3XrpqCGpneG3EOZOOdOxiTlgbUuxz
DGN2Qy7S6iOPIBwGSHdc
=Q1mQ
-----END PGP SIGNATURE-----
gpg: Signature made Thu 24 Oct 2013 03:49:21 AM UTC using RSA key ID 32AD7565
gpg: Good signature from "David Racho "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2EDA F204 5FC1 CCFB 9513  64CB 36E4 1578 32AD 7565

TL;DR
Quote
gpg: Good signature from "David Racho "

Seems to indicate it's valid.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
Hi, this is not exactly bitcoin related, but I use this to sign messages (and encrypt some of them.)

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Is there any possible problem with using SHA-512 to sign my messages?
Can anyone who has GPG / PGP verify this signature and let me know if it's good.

My public key is here
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x36E4157832AD7565
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBCgAGBQJSaJjBAAoJEDbkFXgyrXVlNNsP/1T5dtLIs5JbIL3yaYuCaIN+
dHSMnfNo126J05mr7OTM4yCWz/3iBqK2aywzqByKItaqr0xxukVlf3OB/ATbGBxt
ylPwO2faXeNT+3IB6yAN48j7KPmAnan+jSibgAZUfXds6AWC3AQDqYkFV17MLanz
iSwVT+InzeNovlQQ2Mim8RHvF4IDHYTXCLtCSmzjzWLCuSy6QcqSbN3tb3O387pL
9f7xDxPzU8X/91JwXhbblj+fCtDGvgNMLauEvWjsMViHnqrR1CyXuato4fX7Tv45
vhZyxbIHS/IaeTZUJWt5gsozB1tMvTJiWX/+2O0M47+QOvh78Oc92YoEzDnk7ryt
0f74ppjux3U8MDSIeMNGu3lsPEX1IR1ED3ypU7KYXHJXqTCIczT+4o+yO4Vl52bT
zYyy+LBGmNh+otklatY+Doi2nW6ibPBhrZhVMrWxdWqZSsKgHLluLQS8xhDAIkuv
MckV8iqNHy94D+0kbY5hixW1sXBkIddVBT3+qjGBUt/GTPPkk6AjnF4NAbyXIH7i
esiC+fu/tOctm8FCKRWumt+mii08Fo4yqscaupcwTGCno26MYZhMvixqRuXdSgxz
nClcjj0nlpBQ2yOu4vQrBySpUEtr16ccK6X3XrpqCGpneG3EOZOOdOxiTlgbUuxz
DGN2Qy7S6iOPIBwGSHdc
=Q1mQ
-----END PGP SIGNATURE-----

What I want to know is if this is verifiable using the different versions of GPG on different OSes, particularly older GPG versions like 1.4.15, and also Mac and Linux. I know GnuPG on Windows works since that is what I am using.

Edit: If you have a non-windows machine, or if you use an older version (not version 2.) kindly verify this signature and post here that it's good. (You may have to add or trust my public key to make it say it's valid.)
Jump to: