bem at cmc.net
Fri Nov 13 11:24:44 CET 1998
On Wed, Nov 11, 1998 at 11:11:41PM +0300, Michael Sobolev wrote:
> I have a problem of some kind. Either I do understand what I do, or a bug is
> mss at despair$ gpg --clearsign file.html
> mss at despair$ gpg --verify file.html.asc
> gpg (GnuPG) 0.4.2; Copyright (C) 1998 Free Software Foundation, Inc.
> This program comes with ABSOLUTELY NO WARRANTY.
> This is free software, and you are welcome to redistribute it
> under certain conditions. See the file COPYING for details.
> gpg: Warning: using insecure memory!
> gpg: Signature made Wed Nov 11 23:07:35 1998 MS using DSA key ID A0362DB0
> gpg: BAD signature from "Michael Sobolev <mss at despair.transas.com>"
> What to do?
Okay, this seems to be caused by a missing "Hash: " line.
(I force the hash to SHA1 so that PGP5 users can verify my signature,
but the Hash: line is left out of the GPG item.)
I think there's a difference in the defaults between PGP5 and GPG on
what hash is used: with PGP5, SHA1 is assumed if there is no Hash line:
in GPG, the default seems to be MD5.
I'll defer to Werner the code to fix that, but a trivial workaround is
to insert 'Hash: hashname' after the -----BEGIN PGP SIGNED MESSAGE-----
line. (The line itself isn't used as part of the signature, so if you
add the line it should verify just fine with GPG and PGP5.)
Brian Moore | "The Zen nature of a spammer resembles
Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
Usenet Vandal | is higher up on the evolutionary chain."
Netscum, Bane of Elves. Peter Olson, Delphi Postmaster
More information about the Gnupg-devel