From eb675fbc4e4db52c3276bc0748b49df8a213fbc4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 28 Jul 2022 10:39:45 +0200
Subject: [PATCH] gpg: For de-vs use SHA-256 instead of SHA-1 as implicit
 preference.

* g10/pkclist.c (select_algo_from_prefs): Change implicit hash
algorithm.
--

GnuPG-bug-id: 6043
---
 g10/pkclist.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/g10/pkclist.c b/g10/pkclist.c
index 392689352..9b08cc4d1 100644
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@@ -1519,9 +1519,17 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
 	     code will never even be called.  Even if the hash wasn't
 	     locked at MD5, we don't support sign+encrypt in --pgp2
 	     mode, and that's the only time PREFTYPE_HASH is used
-	     anyway. -dms */
+	     anyway. -dms
 
-          implicit=DIGEST_ALGO_SHA1;
+             Because "de-vs" compliance does not allow SHA-1 it does
+             not make sense to assign SHA-1 as implicit algorithm.
+             Instead it is better to use SHA-256 as implicit algorithm
+             (which will be the case for rfc4880bis anyway).  */
+
+          if (opt.compliance == CO_DE_VS)
+            implicit = DIGEST_ALGO_SHA256;
+          else
+            implicit = DIGEST_ALGO_SHA1;
 
 	  break;