your mail

brian moore bem at cmc.net
Fri Nov 13 11:24:44 CET 1998


On Wed, Nov 11, 1998 at 11:11:41PM +0300, Michael Sobolev wrote:
> I have a problem of some kind.  Either I do understand what I do, or a bug is
> found.
> 
> mss at despair$ gpg --clearsign file.html
> <snip>
> mss at despair$ gpg --verify file.html.asc
> gpg (GnuPG) 0.4.2; Copyright (C) 1998 Free Software Foundation, Inc.
> This program comes with ABSOLUTELY NO WARRANTY.
> This is free software, and you are welcome to redistribute it
> under certain conditions. See the file COPYING for details.
> 
> gpg: Warning: using insecure memory!
> gpg: Signature made Wed Nov 11 23:07:35 1998 MS using DSA key ID A0362DB0
> gpg: BAD signature from "Michael Sobolev <mss at despair.transas.com>"
> 
> What to do?

Okay, this seems to be caused by a missing "Hash: " line.

(I force the hash to SHA1 so that PGP5 users can verify my signature,
but the Hash: line is left out of the GPG item.)

I think there's a difference in the defaults between PGP5 and GPG on
what hash is used: with PGP5, SHA1 is assumed if there is no Hash line:
in GPG, the default seems to be MD5.

I'll defer to Werner the code to fix that, but a trivial workaround is
to insert 'Hash: hashname' after the -----BEGIN PGP SIGNED MESSAGE-----
line.  (The line itself isn't used as part of the signature, so if you
add the line it should verify just fine with GPG and PGP5.)

-- 
Brian Moore                       | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker     |  a cockroach, except that the cockroach
      Usenet Vandal               |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster




More information about the Gnupg-devel mailing list