multiple signers

David Shaw dshaw at jabberwocky.com
Mon Dec 9 18:05:02 CET 2002


On Sun, Dec 08, 2002 at 02:46:28PM +0100, Timo Schulz wrote:

> $ gpg --verify foo.bar.asc
> gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID E4CA8F45
> gpg: Good signature from "OpenCDK test key" 
> gpg: Signature made Son 08 Dez 2002 14:38:42 MEZ using RSA key ID 333CA589
> gpg: WARNING: signature digest conflict in message
> gpg: BAD signature from "John Q. Smith <john at smith.org>"
> 
> 
> The warning tells me about the MD5/SHA1 conflict and the result is a bad
> signature. I'm not sure if the signature is really bad, because the digest
> was only computed with SHA1, or if only the wrong digest was set (SHA1 
> instead of MD5) during the verify hash operation.

The signature is good.. the verify assumes that all signatures in the
chain have the same hash. :(

I'll fix that.

David

-- 
   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson




More information about the Gnupg-devel mailing list