From 3c42b0ed7f3c5a762f912583a033733ec9c0e7bf Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Fri, 23 Dec 2022 22:31:22 +0100
Subject: [PATCH] Dpkg::OpenPGP::Backend::GnuPG: Set secure signing preferred
 algorithms

The current GnuPG defaults with --openpgp cater for heavy backwards
compatibility at the cost of being insecure but potentially being
compatible with very old programs.

We care more about secure defaults than backwards compatibility with
ancient programs, so we pass our preferences to gpg when signing. This
should also cover the case for users that have created old keys with
insecure key preferences which might end up producing insecure
signatures.

Fixes: commit b83114daa69c50d368199d00fbb67e190068b273
Closes: #1028961
---
 scripts/Dpkg/OpenPGP/Backend/GnuPG.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
index 09cd54d0d..015e56e57 100644
--- a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
+++ b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
@@ -257,7 +257,10 @@ sub inline_sign {
     my @exec = ($self->{cmd});
     push @exec, _gpg_options_weak_digests();
     push @exec, qw(--utf8-strings --textmode --armor);
+    # Set conformance level.
     push @exec, '--openpgp';
+    # Set secure algorithm preferences.
+    push @exec, '--personal-digest-preferences', 'SHA512 SHA384 SHA256 SHA224';
     if ($key->type eq 'keyfile') {
         # Promote the keyfile keyhandle to a keystore, this way we share the
         # same gpg-agent and can get any password cached.
-- 
GitLab