After reading a paper about "First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust", I wonder how many SHA-1 keys are left in specific key rings.
How to list all keys in a gpg key ring, which use SHA-1?
Asked
Active
Viewed 3,531 times
3
Jonas Stein
- 3,898
- 4
- 34
- 55
-
The command `gpg2 --no-default-keyring --keyring
--list-keys` maybe of some help. Seen [here](https://lists.gnupg.org/pipermail/gnupg-users/2010-June/038847.html). – Paulo Tomé Jan 08 '20 at 10:21 -
1@PauloTomé this would list **all** keys, not just the keys with `SHA-1`. – Jonas Stein Jan 08 '20 at 10:26
-
1Is this related to [this paper](https://eprint.iacr.org/2020/014) by any chance? – Stephen Kitt Jan 08 '20 at 10:30
-
@StephenKitt Yes. While there is technically no direct link to the paper, it made me to think about this question. I have added the link to the paper in the question. I did not in the first place, because I do not want to discuss the paper. – Jonas Stein Jan 08 '20 at 13:43
1 Answers
2
To get the details of hash algorithms nominated for use with a particular key, edit the key, and then show the key's preference list:
gpg --list-keys
Get the key fingerprint that you want to query, and then edit to query the key prefs:
gpg --edit-key <key fingerprint>
gpg> showpref
[ unknown] (1). Bob Smith (GPG Key) <[email protected]>
Cipher: AES, CAST5, 3DES
Digest: SHA1, RIPEMD160
Compression: ZLIB, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
You can control the hash used for key generation at the command line, for example, with "--cert-digest-algo SHA512" and "--s2k-digest-algo SHA512". See the man page for more details.
You can also change you default preferences. "gpg --version" will show your current settings. Edit gpg.conf to explicitly remove SHA1 for future default key creation of setpref resets:
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP
From the man page:
showpref
More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list. In addition, the preferred keyserver and signature notations (if any) are shown.
setpref string
Set the list of user ID preferences to string for all (or just the selected) user IDs. Calling setpref with no arguments sets the preference list to the default (either built-in or set via --default-preference-list), and calling setpref with "none" as the argument sets an > empty preference list. Use gpg2 --version to get a list of available algorithms. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG. When setting preferences, you should list the algorithms in the order which you'd like to see them used by someone else when encrypting a message to your key. If you don't include 3DES, it will be automatically added at the end. Note that there are many factors that go into choosing an algorithm (for example, your key may not be the only recipient), and so the remote OpenPGP application being used to send to you may or may not follow your exact chosen order for a given message. It will, however, only choose an algorithm that is present on the preference list of every recipient key. See also the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
To automate, would need to extract each key and then query prefs.
