PGP pre-2.3 signatures are not supported

ls+gnupg.devel.gnupg.org at gambit.com.ru ls+gnupg.devel.gnupg.org at gambit.com.ru
Wed Nov 19 20:15:33 CET 2003


>> I just found an article
>> news:1992Dec20.102732.11494 at extropia.wimsey.bc.ca which has "BAD
>> signature" in GnuPG 1.2.3 and "Good signature" in PGP 6.5.8.
>> Can you reproduce this problem?

David Shaw wrote:
> Yes.	Note that the signature was issued by PGP 2.1. The problem is that PGP
> 2.3 changed the representation of the signature hash to be PKCS compatible.

Is is possible to report "signature is not
PKCS compatible" instead of "BAD signature"?

> PGP 6.5.8 has code to do this.  GnuPG doesn't.  There isn't really any major
> technical reason why GnuPG couldn't do this, but PGP 2.1 is almost 11 years
> old (note the date of the signature: December, 1992) and is no longer used.

But there are still many documents signed by old versions and many
people expect that valid signatures will be validated as Good.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : /pipermail/attachments/20031119/eab49a31/attachment.bin


More information about the Gnupg-devel mailing list