multiple signers

David Shaw dshaw at
Wed Dec 11 04:37:02 CET 2002

On Mon, Dec 09, 2002 at 07:18:38PM +0100, Timo Schulz wrote:
> On Mon Dec 09 2002; 12:06, David Shaw wrote:
> > The signature is good.. the verify assumes that all signatures in the
> > chain have the same hash. :(
> That's what I thought.
> > I'll fix that.
> Excellent, thanks. But due to the fact multiple signatures are not
> very common, I don't think it's a problem for most users.

Now that I look at the code, this is actually a more general problem.
The same thing will happen with two signatures that mismatch in any
way, like a 0x00 and 0x01.  This is even less likely than a hash
mismatch since a user would have to generate such a thing by hand, but
it is still a problem.

There are also some PGP workarounds there, so RSA/MD5 sigs and
DSA/SHA1/0x01 sigs get special treatment due to bugs in various
versions of PGP, and the workarounds are skipped if it is the second
or later of the signatures in the file.

The only fix that really handles all the cases is to loop over this
code for each signature in the file, but that would be expensive as it
involves re-hashing the input for each pass.  The next best thing is
to disallow 0x00 and 0x01 together, as that means the whole thing can
be done in one pass.

Still, I wonder if the best solution for the stable branch isn't to
just lock this off so that the first signature is verified and then
print a warning that any other sigs in the file are being skipped.
It's certainly a minimal change, and we do a proper fix in the devel


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list