feat(pgp): use preferred hash algorithm for signing instead of hardcoded SHA256

There is no difference for RSA and Ed25519, the only signing keys that we generate. The both use SHA256: <7e3b6c0af2/src/types/params/public.rs (L231-L234)> The only difference is for the possible future PQC signing keys and imported NIST P-512 and NIST P-384 keys.
2026-04-26 01:46:34 +03:00 · 2026-01-15 22:59:47 +00:00
parent a67a5299bf
commit 5ff323ce15
1 changed files with 9 additions and 7 deletions
--- a/src/pgp.rs
+++ b/src/pgp.rs
@@ -17,7 +17,9 @@ use pgp::crypto::ecc_curve::ECCCurve;
 use pgp::crypto::hash::HashAlgorithm;
 use pgp::crypto::sym::SymmetricKeyAlgorithm;
 use pgp::packet::{SignatureConfig, SignatureType, Subpacket, SubpacketData};
-use pgp::types::{CompressionAlgorithm, KeyDetails, Password, PublicKeyTrait, StringToKey};
+use pgp::types::{
+    CompressionAlgorithm, KeyDetails, Password, PublicKeyTrait, SecretKeyTrait as _, StringToKey,
+};
 use rand_old::{Rng as _, thread_rng};
 use tokio::runtime::Handle;

@@ -31,9 +33,6 @@ pub(crate) const HEADER_SETUPCODE: &str = "passphrase-begin";
 /// Preferred symmetric encryption algorithm.
 const SYMMETRIC_KEY_ALGORITHM: SymmetricKeyAlgorithm = SymmetricKeyAlgorithm::AES128;

-/// Preferred cryptographic hash.
-const HASH_ALGORITHM: HashAlgorithm = HashAlgorithm::Sha256;
-
 /// Split data from PGP Armored Data as defined in <https://tools.ietf.org/html/rfc4880#section-6.2>.
 ///
 /// Returns (type, headers, base64 encoded body).
@@ -205,7 +204,8 @@ pub async fn pk_encrypt(
                        }
                    }

-                    msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+                    let hash_algorithm = private_key_for_signing.hash_alg();
+                    msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
                    if compress {
                        msg.compression(CompressionAlgorithm::ZLIB);
                    }
@@ -228,7 +228,8 @@ pub async fn pk_encrypt(
                        }
                    }

-                    msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+                    let hash_algorithm = private_key_for_signing.hash_alg();
+                    msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
                    if compress {
                        msg.compression(CompressionAlgorithm::ZLIB);
                    }
@@ -453,7 +454,8 @@ pub async fn symm_encrypt_message(
        );
        msg.encrypt_with_password(&mut rng, s2k, &shared_secret)?;

-        msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+        let hash_algorithm = private_key_for_signing.hash_alg();
+        msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
        if compress {
            msg.compression(CompressionAlgorithm::ZLIB);
        }