GPG 1.4.1 and RIPEMD160 problem
dshaw at jabberwocky.com
Thu Mar 24 05:23:00 CET 2005
On Wed, Mar 23, 2005 at 11:20:34PM -0500, Atom Smasher wrote:
> On Wed, 23 Mar 2005, David Shaw wrote:
> >There are two ways this could happen - one, a clearsigned message that
> >has a "Hash:" header that doesn't match the actual hash used in the
> >signature, and two, a onepass signed message that claims to be one hash,
> >but is actually another.
> use "pgpdump" or "gpg --list-packets" to see what hash the signature
> ~really~ uses.
Normally, I'd agree, but this is a PGP/MIME message. There is only
one hash in there, and so there is nothing to conflict with...
I have this vague theory that TheBat is constructing a brand new
OpenPGP message out of the MIME parts for verification. Not enough
data to say for sure.
More information about the Gnupg-devel