So, this SHA-1 mess is "fun".
To get a fresh self-sig user ID signature on the main key, I can do
this:
gpg --expert --cert-digest-algo SHA256 --sign-key ${KEYID:?}
The `--expert` overrides the "already signed" safety check, letting you
confirm that yes you really want this. Alas, it seems that
`--ask-cert-expire` is not enough, it no-ops out.
For sub-key bindings, for encryption keys it's easy: just generate a new
encryption sub-key, let it be signed with a modern hash, and future
messages encrypted to you will just use the new subkey.
For non-encryption subkeys, I'm looking really at signing subkeys: it
seems useful to make sure that existing signatures can continue to be
verified.
How do I re-sign the subkey binding for a [S] signing subkey, to keep
the same key but make the association from the main key be with SHA256
please?
Thanks,
-Phil
To get a fresh self-sig user ID signature on the main key, I can do
this:
gpg --expert --cert-digest-algo SHA256 --sign-key ${KEYID:?}
The `--expert` overrides the "already signed" safety check, letting you
confirm that yes you really want this. Alas, it seems that
`--ask-cert-expire` is not enough, it no-ops out.
For sub-key bindings, for encryption keys it's easy: just generate a new
encryption sub-key, let it be signed with a modern hash, and future
messages encrypted to you will just use the new subkey.
For non-encryption subkeys, I'm looking really at signing subkeys: it
seems useful to make sure that existing signatures can continue to be
verified.
How do I re-sign the subkey binding for a [S] signing subkey, to keep
the same key but make the association from the main key be with SHA256
please?
Thanks,
-Phil