* parse-packet.c (parse_key): Support a SHA1 checksum as per

draft-rfc2440-bis04. * packet.h (PKT_secret_key): Add field sha1chk. * seckey-cert.c (do_check): Check the SHA1 checksum (protect_secret_key): And create it. * build-packet.c (do_secret_key): Mark it as sha-1 protected. * g10.c, options.h: New option --simple-sk-checksum.
2025-07-14 21:47:19 +02:00 · 2002-04-17 16:00:03 +00:00 · 2002-04-17 16:00:03 +00:00 · 60e0b2ad92
commit 60e0b2ad92
parent e906ef5f5b
8 changed files with 113 additions and 34 deletions
--- a/doc/gpg.sgml
+++ b/doc/gpg.sgml
@ -581,6 +581,9 @@ The second form of the command has the special property to
 render the secret part of the primary key useless; this is
 a GNU extension to OpenPGP and other implementations can
 not be expected to successfully import such a key.
+
+See the option --simple-sk-checksum if you want to import such an
+exported key with an older OpenPGP implementation.
 </para></listitem></varlistentry>


@ -1324,6 +1327,18 @@ for conventional encryption.
 </para></listitem></varlistentry>


+<varlistentry>
+<term>--simple-sk-checksum</term>
+<listitem><para>
+Secret keys are integrity protected by using a SHA-1 checksum.  This
+method will be part of an enhanced OpenPGP specification but GnuPG
+already uses it as a countermeasure against certain attacks.  Old
+applications don't understand this new format, so this option may be
+used to switch back to the old behaviour.  Using this this option
+bears a security risk.
+</para></listitem></varlistentry>
+
+
 <varlistentry>
 <term>--compress-algo &ParmN;</term>
 <listitem><para>