Wrong signature hash detection?

Hauke Laging mailinglisten at hauke-laging.de
Fri May 7 04:43:09 CEST 2010 

Hello,

I have created signatures with different keys for a JPEG file. You can find 
both the graphics file and the signatures on this web page:

http://www.hauke-laging.de/organspende.html

If I check the signatures, gpg2 2.0.15 (and at least .14, too) returns the 
wrong hash (unless I misunderstand something):

start cmd:> LC_ALL=C gpg --verify --verbose organspende.7f637e7b.1.sig  
organspende.jpg
Version: GnuPG v2.0.14 (GNU/Linux)
gpg: armor header:
gpg: Signature made Fri May  7 03:48:42 2010 CEST
gpg:                using RSA key 0x7F637E7B
gpg: using PGP trust model
gpg: Good signature from "Hauke Laging (Dieser Schlüssel ist wirklich sicher) 
<smartcard at hauke-laging.de>"
gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html

gpg: binary signature, digest algorithm SHA1

It says SHA1 though according to my understanding

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu
cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSnFZfWs
YgvqeYYGHUeLIQzfGCbxD2VE0CzSQPNN3GabpsXF2DQ5xUh25n+9pu34gPAMvD6v
QKM8B31vkSj/KEuCZUXMOBiEDVBQn6ypR9ZmOSo991Lm84fIaOhx8rQ0d1kWxWuH
CRHemF49FSCxF/5CMcx+HMWjN6lKhQFK3z61In23Xjmf+dRFYxbPkInqu4tw6q4b
OODVVsK8FhCWz2aUNBSgWzwhmwwCD1R4/IblMejrStsbT0tFNzVbg3KKIQ7bHUD5
k++hjk0K332ZXnR4X9jZku7FPpgAtp44/k0Op+yGZqW6RW6zu5s5fFPnkijef6U=
=eaxc
-----END PGP SIGNATURE-----

is obviously not an SHA1 signature. The check deliveres the correct result for 
the signature of the other key (which I created immediately before on the same 
system):

start cmd:> LC_ALL=C gpg --verify --verbose organspende.eccb5814.2.sig  
organspende.jpg
Version: GnuPG v2.0.14 (GNU/Linux)
gpg: armor header:
gpg: Signature made Fri May  7 03:49:11 2010 CEST
gpg:                using RSA key 0x3A403251
gpg: using subkey 0x3A403251 instead of primary key 0xECCB5814
gpg: using PGP trust model
gpg: Good signature from "Hauke Laging <hauke at laging.de>"
gpg:                 aka "Hauke Laging <mailinglisten at hauke-laging.de>"
gpg:                 aka "Hauke Laging <mail at hauke-laging.de>"
gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html

gpg: binary signature, digest algorithm SHA512


There are two differences between the keys: ECCB5814 has a DSA primary key and 
an RSA subkey for signing. This key is stored in my normal keyring. 7F637E7B 
is on a smartcard. Due to some configuration error during key creation the 
primary key is for signing, too:

start cmd:> LC_ALL=C gpg --edit-key 7F637E7B

[...]
pub  2048R/0x7F637E7B  created: 2010-03-04  expires: 2015-03-03  usage: SC


Up to now I don't think that any real problems arise from this. It seems to be 
a "cosmetic" problem. Is this a bug or have I made any mistake?


CU

Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

More information about the Gnupg-users mailing list