When it comes to DEB packages and repositories, we're talking about explicitly creating a signature. This is different to encrypting and signing a message for a known recipient key. In that case, gpg uses the receiver's key preferences, in combination with your own local preferences to work out a suitable algorithm choice
Unfortunately, there are not much options available for stand-alone signing right now. Even in GPG-2, there is only an option to disallow a cipher algo, but no option to disallow a digest (signing) algo.
Thus, the only thing you can do is explicitly to define a fixed digest (signing) algo in your preferences. Because that is what will be used, when the debian tooling invokes your local GPG installation to make the signatures.
Obviously, this has the downside to interfere with the automatic choice of a signing algo; which means, after setting that option, a receiver only capable of SHA1 will no longer be able to verify your signatures.
Anyway, set the following to your ~/.gnupg/gpg.conf
digest-algo SHA256
Probably you should also place a personal preference list there, which influences the default when creating new keys (but as such does not immediately solve the problem at hand -- it won't hurt either)
personal-digest-preferences SHA512,SHA384,SHA256,SHA224
default-preference-list SHA512,SHA384,SHA256,SHA224,AES256,AES192,AES,CAST5,3DES,BZIP2,ZIP,ZLIB,Uncompressed
Regarding SHA1 and 3DES, these are the lowest common denominator for the PGP protocol, and thus hardwired into the software. They are automatically added at the end of your preference list, in order to ensure interoperability with other (weak) implementations of the protocol.
See Section 13.2 of RfC4880
Since SHA1 is the MUST-implement hash algorithm, if it is not
explicitly in the list, it is tacitly at the end.
Moreover, SHA1 is still the only algorithm used/allowed to generate a V4 Fingerprint (See Section 12.2)
Well, it might be time to move on, but there is not much we (users) can do, as long as the standard is not upgraded...
Best Answer
The packages named
gpg-pubkey*
are fake RPM packages to store and manage the rpm keys. The manpage rpmkeys(8) mention how to list and remove those keys. There is also a YUM addon (packageyum-plugin-keys
):Alternatively, you can use RPM to list the keys in a compact view:
When a key is imported by the system administrator (using
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
,rpmkeys
oryum install
) the fake package is created (read where does rpm install custom gpg keys?).Removing those keys is a good idea, if you purged all packages from that packager/provider/repo, since it will prevent the system from installing or upgrading any package from that repo.
Removing those keys is a bad idea, if you haven't purged all packages from that packager/provider/repo, since it will prevent the system from installing or upgrading any package from that repo.