GPG 1.4.1 and RIPEMD160 problem

David Shaw dshaw at
Thu Mar 24 05:23:00 CET 2005

On Wed, Mar 23, 2005 at 11:20:34PM -0500, Atom Smasher wrote:
> On Wed, 23 Mar 2005, David Shaw wrote:
> >There are two ways this could happen - one, a clearsigned message that 
> >has a "Hash:" header that doesn't match the actual hash used in the 
> >signature, and two, a onepass signed message that claims to be one hash, 
> >but is actually another.
> =================
> use "pgpdump" or "gpg --list-packets" to see what hash the signature 
> ~really~ uses.

Normally, I'd agree, but this is a PGP/MIME message.  There is only
one hash in there, and so there is nothing to conflict with...

I have this vague theory that TheBat is constructing a brand new
OpenPGP message out of the MIME parts for verification.  Not enough
data to say for sure.


More information about the Gnupg-devel mailing list