Greetings, A couple of days ago Shawn pointed out offlist that my GPG installation was using SHA1 when signing messages. Although seven hash functions are included in GnuPG 1.4.16, SHA1 is still the default. For most purposes this is no cause for panic, but it's "untidy" at best and might occasionally bite someone in the ass. The simple cure is to append this to gpg.conf: personal-digest-preferences SHA256 SHA512 digest-algo SHA256 I wonder when the gpg guise will get around to updating the default hash... On a related note, gnupg-agent stores typed pass phrases for 10 minutes, as a convenience when reading or signing multiple files or documents. Only one little thing: It stores typed pass phrases until the machine is powered off, regardless of configuration settings per the gnupg-agent man page. Last time I checked, this bug was dismissed by Debian as a non-issue, saying that exploiting it would require physical access to the machine and "physical access is game over." That's an excuse to leave the bug in place, not a reason. I am sure present company can provide several examples of cases where the presence of gnupg-agent in its present broken condition "is game over" for the user. Four years ago I noticed this problem, exhausted "sane" remedies, and found an effective work-around that denies gnupg-agent access to pass phrases when using Enigmail or GPG itself. http://pilobilus.net/gnupg-agent_work_around_for_linux_mint.html :o)