What determines the clearsign hash algorithm used by GnuPG?

gnupg digital-signature openpgp

When using GnuPG to clear sign a text, there is a hash part in signed message. Take the example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

abc
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEZZvqE5j3koIxs9Xim0+E4a5Vo2cFAlkRdvQACgkQm0+E4a5V
o2ew2QgAzHuvZ7Hlb6+3qRLjc9Yhdi+6tBmNWXbWpKoAQxpzx6jKQp/FSpQeGWuj
RxcYnqU3pk4ycMLtaCFcfnHEW5N0B95eXGcurgMGz7A6xhy0hy25x8WBdeKVAQ+2
PLA2ytJLUn2L1S3ueqJWcdVUBRaiczOOsYvvO
...
...

-----END PGP SIGNATURE-----

But the hash algorithm is different for different keys (or servers), sometimes SHA1, sometimes SHA256, SHA512.

What determines this, the key or GnuPG client? I can't find info on this, when you use gpg create new keys , there is no option to specify the hash algorithm.

update: to clearify my question, I added more info below. the command used to generate the example output above, is :

gpg --clearsign

( The gpg version is gpg2 on my system. )

then , I typed some random text and there comes the result above. I wish to know, how to generate output with specific "Hash:" values ? say, SHA1 ?


The hashing algorithm is chosen by the implementation of OpenPGP, in your case GnuPG. Which one gets selected

  • is obviously restricted to algorithms support by GnuPG (gpg --version prints a list),
  • depends on compliance options used and finally
  • depends on your personal preferences.

For encrypting messages, additionally the recipient's preferences stored in the public key are considered.


I wish to know, how to generate output with specific "Hash:" values ? say, SHA1 ?

To answer your question, use the --digest-algo SHA1 option.

As an example, here is a detached signature using SHA-256. I don't use --clearsign, so I'm not going to try to cobble it together:

gpg -a -u 1F8E37BD --digest-algo SHA256 --output test.txt.sig --detach-sig test.txt

-a produces the ASCII armour output. -u selects the signing key among different keys. --digest-algo selects the hash. --output is the output filename. The input filename must be last option.

The list of hashes and their values are available in RFC 4880, Section 9.4. SHA-1 is 2, and SHA-256 is 8.

You can audit the signature with:

$ cat test.txt.sig | gpg --list-packets | grep "digest algo"
    digest algo 8, begin of digest 05 94

Related

What <html lang=""> attribute value should I use for a mixed language page?
How to disable drag&drop of links by default?
Where can I find linux-kernel-headers-x.x.x.x for SUSE?
How do we check the hard disk health on a Surface Pro 3?
How do I make a backup of Windows 8?
How to Increase browser zoom level on page load?
Why is the Spotify cache so large?
VMware Workstation not installing network adapters on Windows 10
Converting mobi files to pdf files
Convert VMDK to ISO
Windows 7 thinks that the UTC+1 Amsterdam time zone is really an UTC+10 time zone
Routing sound in Windows 7 to separate devices [duplicate]