Description liujiang 2024-03-15 15:50:56 UTC

[问题描述]：
Anolis23环境，生成密钥对以后添加DSA类型的子密钥，设置keysize为1024边界长度时，会报错：Note: third-party key signatures using the SHA1 algorithm are rejected


[环境信息]：
机器类型：ECS

[内核信息]：
[root@iZbp13y8smi7y3i45cd2grZ anliu001]# uname -r
5.10.134-16.1.an23.x86_64

[操作系统信息]：
[root@iZbp13y8smi7y3i45cd2grZ anliu001]# cat /etc/os-release
NAME="Anolis OS"
VERSION="23"
ID="anolis"
VERSION_ID="23"
PLATFORM_ID="platform:an23"
PRETTY_NAME="Anolis OS 23"
ANSI_COLOR="0;31"
HOME_URL="https://openanolis.cn/"
BUG_REPORT_URL="https://bugzilla.openanolis.cn/"

[重现步骤]：
生成密钥对：
[root@iZbp13y8smi7y3i45cd2grZ anliu001]#  gpg --batch --gen-key  <<EOF
Key-Type: RSA
Key-Length: 2048
Name-Real: John Doe
Name-Email: johndoe_012@example.com
Expire-Date: 0
Passphrase: mysecretpassphrase
EOF
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/8EBBD3F1A781536A749E8FBA3CBAC23EDDB49C18.rev'

添加子密钥：
[root@iZbp13y8smi7y3i45cd2grZ anliu001]# gpg --edit-key 8EBBD3F1A781536A749E8FBA3CBAC23EDDB49C18
gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
sec  rsa2048/3CBAC23EDDB49C18
     created: 2024-03-15  expires: never       usage: SCEAR
     trust: ultimate      validity: ultimate
[ultimate] (1). John Doe <johndoe_012@example.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: signing failed: Invalid digest algorithm
gpg: make_keysig_packet failed for backsig: Invalid digest algorithm
gpg: Key generation failed: Invalid digest algorithm

gpg> save
Key not changed so no update needed.

执行结果：
子密钥未生成
[root@iZbp13y8smi7y3i45cd2grZ anliu001]# gpg --keyid-format long --list-secret-keys  8EBBD3F1A781536A749E8FBA3CBAC23EDDB49C18
sec   rsa2048/3CBAC23EDDB49C18 2024-03-15 [SCEAR]
      8EBBD3F1A781536A749E8FBA3CBAC23EDDB49C18
uid                 [ultimate] John Doe <johndoe_012@example.com>

[问题发生概率]：必现