Cannot update key: "bad signature: rejecting insecure hash SHA1"

[fmos]

I'm trying to replace my key with a new public key with an extended expiry time.

Using the web client to insert the new public key and running the generated curl command, I get the following error message:

Error in your post
-------------------

Code: 1002
Name: SIG_CANNOT_VERIFY
Description: bad signature: rejecting insecure hash SHA1

I have used gpg to set preferences of that key to prefer SHA512 over SHA1.

Any hints on how to fix the above error?

Thanks!

[Arkanosis]

Hi,

I've had the same issue while trying to do the same thing using GnuPG 1.4.20 and have fixed it by forcing the digest to SHA512 (somehow, this version still uses SHA1 by default).

In the generated curl command, you have something like this:

gpg -u '$YOURKEY' -a --sign)" \

replace it with the following:

gpg -u '$YOURKEY' -a --sign --digest-algo SHA512)" \

and that's it.

[fmos]

Thanks! That did work for me.

[mloskot]

Unfortunately, the workaround by @Arkanosis from https://github.com/keybase/client/issues/22496#issuecomment-643686495 does not work after one installs the Keybase app and logs in, then the curl-based command is no longer available and only keybase-based adding of keys is offered:

which is failing:

...
Choose a key: 1
- ERROR key generation error: bad signature: rejecting insecure hash SHA1 (error 1002)

See also https://github.com/keybase/keybase-issues/issues/3906

[mloskot]

Following up to my own https://github.com/keybase/client/issues/22496#issuecomment-1826779398

...
Choose a key: 1
- ERROR key generation error: bad signature: rejecting insecure hash SHA1 (error 1002)

Following these pieces of advice:

1. https://github.com/keybase/client/issues/22458#issuecomment-584179988
2. https://github.com/keybase/client/issues/22458#issuecomment-584209856
3. https://github.com/keybase/client/issues/22458#issuecomment-584520214

allowed me to successfully complete the keybase pgp select.