verifying multiple signatures (old bug #23)

Sun Jul 2 17:54:49 CEST 2000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

Hi,

I have noticed that there still seems to be a problem with
verifying multiple signatures. I think this used to officially be bug
#23 reported by me last August, but has since disappeared from the bug
list.

If you have multiple detached signatures (not one pass sigs)
concatenated into a single file, gpg will correctly build them all
into a linked list, but then will only verify the first signature
packet. This can be fixed by descending through the tree (like it
will do for one-pass sigs). 

I've included a patch to v1.0.1h below that does this and tries to
maintain the pgp2 and pgp5 compatibility hacks as well.

Todd

---------------------------------------
Todd L. Brooks
Department of Mechanical Engineering
Yale University
New Haven, CT 06520-8286
---------------------------------------

--- gnupg-1.0.1h/g10/mainproc.c	Tue Jun 27 08:36:45 2000
+++ gnupg-1.0.1tlb/g10/mainproc.c	Sat Jul  1 22:14:29 2000
@@ -1219,20 +1219,25 @@
 	else if( !c->have_data ) {
 	    /* detached signature */
 	    free_md_filter_context( &c->mfx );
-	    c->mfx.md = md_open(sig->digest_algo, 0);
-	    if( !opt.pgp2_workarounds )
-		;
-	    else if( sig->digest_algo == DIGEST_ALGO_MD5
-		     && is_RSA( sig->pubkey_algo ) ) {
+	    /* prepare to create all requested message digests */
+	    c->mfx.md = md_open(0, 0);
+            
+	    for( n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )) ) {
+	      md_enable( c->mfx.md, n1->pkt->pkt.signature->digest_algo);
+	      if( opt.pgp2_workarounds
+		  && n1->pkt->pkt.signature->digest_algo == DIGEST_ALGO_MD5
+		  && is_RSA( sig->pubkey_algo ) ) {
 		/* enable a workaround for a pgp2 bug */
 		c->mfx.md2 = md_open( DIGEST_ALGO_MD5, 0 );
-	    }
-	    else if( sig->digest_algo == DIGEST_ALGO_SHA1
-		     && sig->pubkey_algo == PUBKEY_ALGO_DSA
-		     && sig->sig_class == 0x01 ) {
+	      }
+	      else if( opt.pgp2_workarounds
+		       && n1->pkt->pkt.signature->digest_algo == DIGEST_ALGO_SHA1
+		       && n1->pkt->pkt.signature->pubkey_algo == PUBKEY_ALGO_DSA
+		       && n1->pkt->pkt.signature->sig_class == 0x01 ) {
 		/* enable the workaround also for pgp5 when the detached
 		 * signature has been created in textmode */
-		c->mfx.md2 = md_open( sig->digest_algo, 0 );
+		c->mfx.md2 = md_open( n1->pkt->pkt.signature->digest_algo, 0 );
+	      }
 	    }
 	  #if 0 /* workaround disabled */
 	    /* Here we have another hack to work around a pgp 2 bug
@@ -1247,12 +1252,12 @@
 	    if( c->sigs_only ) {
 		rc = hash_datafiles( c->mfx.md, c->mfx.md2,
 				     c->signed_data, c->sigfilename,
-				     (sig->sig_class == 0x01) );
+				     n1? (n1->pkt->pkt.onepass_sig->sig_class == 0x01):0 );
 	    }
 	    else {
 		rc = ask_for_detached_datafile( c->mfx.md, c->mfx.md2,
 						iobuf_get_fname(c->iobuf),
-						(sig->sig_class == 0x01) );
+						n1? (n1->pkt->pkt.onepass_sig->sig_class == 0x01):0 );
 	    }
 	    if( rc ) {
 		log_error("can't hash datafile: %s\n", g10_errstr(rc));
@@ -1261,8 +1266,9 @@
 	}
 	else
 	    log_info(_("old style (PGP 2.x) signature\n"));
-
-	check_sig_and_print( c, node );
+	
+	for( n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE )) )
+	  check_sig_and_print( c, n1 );
     }
     else
 	log_error(_("invalid root packet detected in proc_tree()\n"));
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjlfdNEACgkQfLK86z2RNm/dVQCg5JIjWwNESX1ByQ0zncHq1BMl
6EcAoPYJhYh0wXT+NyQTIEQM6Cdt5C+b
=bqfg
-----END PGP SIGNATURE-----

