FlowCrypt · sosnovsky · Sep 4, 2025 · Sep 4, 2025
@@ -523,7 +523,7 @@ export class OpenPGPKey {
       if (verifyErr instanceof Error && verifyErr.message === 'Can only verify message with one literal data packet.') {
         verifyRes.error = 'FlowCrypt is not equipped to verify this message';
         verifyRes.isErrFatal = true; // don't try to re-fetch the message from API
-      } else if (verifyErr instanceof Error && verifyErr.message.startsWith('Insecure hash algorithm:')) {
+      } else if (verifyErr instanceof Error && verifyErr.message.startsWith('Insecure message hash algorithm:')) {
         verifyRes.error = `${verifyErr.message}. Sender is using old, insecure OpenPGP software.`;
         verifyRes.isErrFatal = true; // don't try to re-fetch the message from API
       } else if (verifyErr instanceof Error && verifyErr.message === 'Signature is expired') {

@@ -15,7 +15,6 @@ if (typeof opgp !== 'undefined') {
   opgp.config.showVersion = true;
   opgp.config.commentString = 'Seamlessly send and receive encrypted email';
   opgp.config.showComment = true;
-  opgp.config.rejectHashAlgorithms = new Set([...opgp.config.rejectHashAlgorithms, opgp.enums.hash.sha1]);
   opgp.config.allowUnauthenticatedMessages = true; // we manually check for missing MDC and show loud warning to user (no auto-decrypt)
   opgp.config.allowInsecureDecryptionWithSigningKeys = false; // may get later over-written using ClientConfiguration for some clients
   // openpgp.config.require_uid_self_cert = false;

@@ -2158,7 +2158,7 @@ XZ8r4OC6sguP/yozWlkG+7dDxsgKQVBENeG6Lw==
           {
             content: ['test'],
             encryption: 'not encrypted',
-            signature: 'error verifying signature: Insecure hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',
+            signature: 'error verifying signature: Insecure message hash algorithm: SHA1. Sender is using old, insecure OpenPGP software.',
           },
           authHdr
         );