2 files changed, 110 insertions, 0 deletions

diff --git a/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
new file mode 100644
index 0000000..ae00d38
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
@@ -0,0 +1,64 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:49:35 -0400
+Subject: gpg: Default to SHA-512 for all signature types on RSA keys.
+
+* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
+--gnupg mode (leave strict RFC and PGP modes alone).
+* configure.ac: Do not allow disabling sha512.
+* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
+
+--
+
+SHA512 is more performant on most 64-bit platforms than SHA256, and
+offers a better security margin.  It is also widely implemented.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ g10/main.h   | 2 +-
+ g10/misc.c   | 5 +----
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 6e44af2..0a4ae1e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+ GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+ # SHA256 is a MUST algorithm for GnuPG.
+ GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
++# SHA512 is a MUST algorithm for GnuPG.
+ 
+ 
+ # Allow disabling of zip support.
+diff --git a/g10/main.h b/g10/main.h
+index d1a54db..50ebad0 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -41,7 +41,7 @@
+ # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_3DES
+ #endif
+ 
+-#define DEFAULT_DIGEST_ALGO     ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
++#define DEFAULT_DIGEST_ALGO     ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ #ifdef HAVE_ZIP
+ # define DEFAULT_COMPRESS_ALGO   COMPRESS_ALGO_ZIP
+diff --git a/g10/misc.c b/g10/misc.c
+index 0b19e1a..79c285c 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -867,11 +867,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
+     case DIGEST_ALGO_SHA384: return 0;
+ #endif
+ 
+-#ifdef GPG_USE_SHA512
+     case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+-#else
+-    case DIGEST_ALGO_SHA512: return 0;
+-#endif
++
+     default: return 0;
+     }
+ }
diff --git a/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
new file mode 100644
index 0000000..bdb33f9
--- /dev/null
+++ b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
@@ -0,0 +1,46 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 3 Jan 2018 12:34:26 -0500
+Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences.
+
+* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
+and SHA-384 by default.
+
+--
+
+In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
+defaults for --default-preference-list to advertise a preference for
+SHA-512, without touching --personal-digest-preferences.  This makes
+the same change for --personal-digest-preferences, since every modern
+OpenPGP library supports them all.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/keygen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 5b4a785..2066bf1 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal)
+             if (personal)
+               {
+                 /* The default internal hash algo order is:
+-                 *  SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
++                 *  SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+                  */
+-                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+-                  strcat (dummy_string, "H8 ");
++                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++                  strcat (dummy_string, "H10 ");
+ 
+                 if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+                   strcat (dummy_string, "H9 ");
+ 
+-                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+-                  strcat (dummy_string, "H10 ");
++                if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++                  strcat (dummy_string, "H8 ");
+               }
+             else
+               {