Generic background information for this post and SHA-1 being broken can be found from this site: Shattered.iokw: Mozilla Thunderbird Enigmail, GnuPG, PGP, GPG, SHA1, SHA256, SMIME, S/MIME, hash, digest, signature, signatures, configuration, settings, set, configure, algorithm, preference, preferred, preference, security, privacy, email encryption, signing, data, email, configuring enigmail to use sha256, configuring GnuPG to use SHA256.
Simply put: Well, they've done it. SHA1 collision generated on purpose.
SHA1 has been on way out for a decade. But now it's finally time to retire it on cases where security matters. It still can be used as hash algorithm, as long as you just remember it isn't secure one. I'm using often some extremely simple algorithms like adler32 or crc32 to generate 'hashes'. Point is just to generate short version of data, which is highly likely to produce another outcome if data is being changed.
As happened with MD5, it's probable that massive increase in attack strength expected in near future. So if it's now considered to be broken, soon it will be much more broken.
It stands for SHA256. Note that the = is just indicating key and value separation. The equal sign shouldn't be used.
These tests were made from command-line / shell.
Only when digest-algo SHA256 option is enabled then output will be using
As you can notice I've tested everything using GnuPG v1 and GnuPG v2.
Now the command line --clearsign produces right output. Yet interestingly that won't affect Enigmail.
Also my own default key sets SHA256 as preference. But that won't clearly affect signing by default with that key. Which would have been nice?
Just to make sure that the recipient preferences do not affect the outcome. I've disabled the digest-algo option and tried using -r when clear signing.
GnuPG just warns that -r without -e doesn't encrypt the message. But still the digest-algo preferences set by -r user's preferences won't affect the digest algorithm. Hmph.
So, just go and add digest-algo SHA256 in your gpg.conf if it isn't there already.
But how do I specify the hash algorithm for Enigmail?
Quote from Enigmail Wiki documentation:
"Enigmail relies by default on GnuPG for selecting the hash (digest) algorithm. From GnuPG, the hash algorithm can be specified in the file gpg.conf using the parameter digest-algo hash_algorithm."
Yet for some interesting reason, the digest-algo setting didn't actually affect Enigmail.
Other values for mimeHashAlgorithm with Enigmail:
0: Automatic selection, let GnuPG choose (default, recommended)
After changing the settings, I sent email to myself and verified that the setting actually affects the mesages being sent out:
If settings aren't correct it'll say:
And when using S/MIME: