gpg: For de-vs use SHA-256 instead of SHA-1 as implicit preference.

* g10/pkclist.c (select_algo_from_prefs): Change implicit hash algorithm. -- GnuPG-bug-id: 6043
2025-01-03 12:11:33 +01:00 · 2022-07-28 10:39:45 +02:00 · 2022-07-28 10:39:45 +02:00 · eb675fbc4e
commit eb675fbc4e
parent 6d9c8a1cbc
1 changed files with 10 additions and 2 deletions
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@ -1519,9 +1519,17 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
 	     code will never even be called.  Even if the hash wasn't
 	     locked at MD5, we don't support sign+encrypt in --pgp2
 	     mode, and that's the only time PREFTYPE_HASH is used
-	     anyway. -dms */
+	     anyway. -dms

-          implicit=DIGEST_ALGO_SHA1;
+             Because "de-vs" compliance does not allow SHA-1 it does
+             not make sense to assign SHA-1 as implicit algorithm.
+             Instead it is better to use SHA-256 as implicit algorithm
+             (which will be the case for rfc4880bis anyway).  */
+
+          if (opt.compliance == CO_DE_VS)
+            implicit = DIGEST_ALGO_SHA256;
+          else
+            implicit = DIGEST_ALGO_SHA1;

 	  break;