Serious problem with detached sigs

Ulf Möller ulf at
Wed Nov 29 17:06:39 CET 2000

On Wed, Nov 29, 2000 at 06:20:45PM -0800, Dale Harris wrote:

> I thought there always was some sort of checksum being done on a file instead
> of just a signature.  Is that not the case?  

An OpenPGP signature involves a hash (i.e. a sort of checksum). But in
the attack that Rene Puls described, GnuPG computes the hash of the
second message and ignores the first one.

More information about the Gnupg-devel mailing list