From 310b064f5271fe8566ebc996702ea1422875f425 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 12 May 2021 08:55:51 +0200
Subject: [PATCH] agent: Use SHA-256 for SSH fingerprint by default

* agent/gpg-agent.c (parse_rereadable_options): Change default ssh
fingerprint digest.
(main): Ditto.
--

Co-authored-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5434
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 agent/gpg-agent.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 1285db995..7e46f98f7 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -869,7 +869,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       memset (opt.disable_daemon, 0, sizeof opt.disable_daemon);
       disable_check_own_socket = 0;
       /* Note: When changing the next line, change also gpgconf_list.  */
-      opt.ssh_fingerprint_digest = GCRY_MD_MD5;
+      opt.ssh_fingerprint_digest = GCRY_MD_SHA256;
       opt.s2k_count = 0;
       set_s2k_calibration_time (0);  /* Set to default.  */
       return 1;
@@ -1436,7 +1436,7 @@ main (int argc, char **argv)
       es_printf ("max-passphrase-days:%lu:%d:\n",
                  GC_OPT_FLAG_DEFAULT, MAX_PASSPHRASE_DAYS);
       es_printf ("ssh-fingerprint-digest:%lu:\"%s:\n",
-                 GC_OPT_FLAG_DEFAULT, "md5");
+                 GC_OPT_FLAG_DEFAULT, "sha256");
 
       agent_exit (0);
     }