From 5ff323ce15515a3e3fb8feb7846109cce150a32b Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Thu, 15 Jan 2026 22:59:47 +0000
Subject: [PATCH] feat(pgp): use preferred hash algorithm for signing instead
 of hardcoded SHA256

There is no difference for RSA and Ed25519,
the only signing keys that we generate.
The both use SHA256:
<https://github.com/rpgp/rpgp/blob/7e3b6c0af21e4a45c2a2dcba67f0b649e0b6e456/src/types/params/public.rs#L231-L234>

The only difference is for the possible future PQC signing keys
and imported NIST P-512 and NIST P-384 keys.
---
 src/pgp.rs | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/pgp.rs b/src/pgp.rs
index beecabe7c..9d8c9586b 100644
--- a/src/pgp.rs
+++ b/src/pgp.rs
@@ -17,7 +17,9 @@ use pgp::crypto::ecc_curve::ECCCurve;
 use pgp::crypto::hash::HashAlgorithm;
 use pgp::crypto::sym::SymmetricKeyAlgorithm;
 use pgp::packet::{SignatureConfig, SignatureType, Subpacket, SubpacketData};
-use pgp::types::{CompressionAlgorithm, KeyDetails, Password, PublicKeyTrait, StringToKey};
+use pgp::types::{
+    CompressionAlgorithm, KeyDetails, Password, PublicKeyTrait, SecretKeyTrait as _, StringToKey,
+};
 use rand_old::{Rng as _, thread_rng};
 use tokio::runtime::Handle;
 
@@ -31,9 +33,6 @@ pub(crate) const HEADER_SETUPCODE: &str = "passphrase-begin";
 /// Preferred symmetric encryption algorithm.
 const SYMMETRIC_KEY_ALGORITHM: SymmetricKeyAlgorithm = SymmetricKeyAlgorithm::AES128;
 
-/// Preferred cryptographic hash.
-const HASH_ALGORITHM: HashAlgorithm = HashAlgorithm::Sha256;
-
 /// Split data from PGP Armored Data as defined in <https://tools.ietf.org/html/rfc4880#section-6.2>.
 ///
 /// Returns (type, headers, base64 encoded body).
@@ -205,7 +204,8 @@ pub async fn pk_encrypt(
                         }
                     }
 
-                    msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+                    let hash_algorithm = private_key_for_signing.hash_alg();
+                    msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
                     if compress {
                         msg.compression(CompressionAlgorithm::ZLIB);
                     }
@@ -228,7 +228,8 @@ pub async fn pk_encrypt(
                         }
                     }
 
-                    msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+                    let hash_algorithm = private_key_for_signing.hash_alg();
+                    msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
                     if compress {
                         msg.compression(CompressionAlgorithm::ZLIB);
                     }
@@ -453,7 +454,8 @@ pub async fn symm_encrypt_message(
         );
         msg.encrypt_with_password(&mut rng, s2k, &shared_secret)?;
 
-        msg.sign(&*private_key_for_signing, Password::empty(), HASH_ALGORITHM);
+        let hash_algorithm = private_key_for_signing.hash_alg();
+        msg.sign(&*private_key_for_signing, Password::empty(), hash_algorithm);
         if compress {
             msg.compression(CompressionAlgorithm::ZLIB);
         }