WARNING: signature digest conflict in message ?

Matija Nalis mnalis-ml at voyager.hr
Thu Sep 25 14:05:49 CEST 2008

I did most of the testing with default debian Etch gnupg 1.4.6-2, 
but I've also verified that problem exists is gnupg 1.4.9-3

The problem is if one uses clearsign format without "Hash:" line, and
the actual hash used is *not* MD5, the "gpg --verify" fails with:

gpg: WARNING: signature digest conflict in message
gpg: Can't check signature: general error

If one uses detached signatures, the gpg correctly guess hash used
from the signature, uses that, and correctly verifies message.

If one uses clearsign signature, but without "Hash:" line[1], it
fails, unless the hash happens to be MD5.

Failing example looks something like:


some cleartext
some more cleartext
Version: GnuPG v1.4.6 (GNU/Linux)


Would it be possible in such a case to try to deduce the hash used
from signature, before (or instead of) falling back to assuming it is
MD5 ? I see no reason why it couldn't be possible.

[1] Yes, I know it would work if the "Hash: SHA1" line was present
    after "-----BEGIN PGP SIGNED MESSAGE-----", and while I could
    easily fix it in my server, there are tons of other places where
    it probably won't be fixed (long story - the software is INN's 
    pgpverify < 1.23)

Opinions above are GNU-copylefted.

More information about the Gnupg-devel mailing list