I can't find any option in gpg to select the SHA256 digest. SHA1 can be broken[1][2] and SHA256 is much more secure, so why is gpg selecting it by default for signatures?
Even the manpage suggests that there are hidden options ending with '-algo' that change the message digest algorithm but they don't seem to have any effect.
$ gpg -s -u 47FAE4A0 --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yodelayheehoo!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJeK/MvAAoJEIpIWClH+uSgRnYP/17S3qedHkI79SXCuq7Dpehg
CgHQL9rTGhLbMWJRN2jeqORXgoEuTza49s+hzYT4FgScuhe42sP8PZgBhyyWMD/r
1G+MYEN7lGWsMbr75Epq6yzIjfUauBMwaHA7iM9CPz4uWp5CSgIL/eWUAIeiREsQ
DSaLBzqAFRpCe9Y2BCQ4/rrYpGbVE+K4+ZpKAC3xsAVKs+dC3XVHTOyKXMHrSRxZ
jUvpki/Pwoz0NErU8G5YKyiXGFhJORQXMs8RmEwZk7qBKih0Fb1rp1NQFVJ6ZbNO
Kp/2ChO94nR+P1LhgLD8L6kDEMnLf4LF12t7TfyCMuQMxwurhSjmElLT3QT9NDHz
7uQQV0u13a0A4DS9WkpHyrPqUYDIjrJ1oBQArsDTS8yjHtcwkB9RNOnM1gUvfKa3
Z9xQHBU1xxn/w6UTiPlGDbOTFClMv0C9b5tydYAzkNjEyadBU49r/k1GVjxpMxYb
dARiiZ6B/NX8HQN9nIuhqLT4sU1MfEP1Ad5Nl0gEbxhJKJNDfxaLkKWhRu65rjvO
07B3zlFq5oATR30ptJOooGfyln7Kkcv0I1NwlcgkOwS89xoraFu4ui9XED/x2PGM
xac115yJgWOcEdo4Sz/kSBFEbS0mmVS875w3wyB23zxxM4+63JKAU79iBOWlq0zK
kES+cuAqobCr4Z+BsUVT
=kRno
-----END PGP SIGNATURE-----
[1]
https://shattered.io/ (warning: its certificate expired 2 days ago, I think they just need to renew it though)
[2]
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html (this cert is OK)
