WARNING: signature digest conflict in message ?
mnalis-ml at voyager.hr
Thu Sep 25 14:05:49 CEST 2008
I did most of the testing with default debian Etch gnupg 1.4.6-2,
but I've also verified that problem exists is gnupg 1.4.9-3
The problem is if one uses clearsign format without "Hash:" line, and
the actual hash used is *not* MD5, the "gpg --verify" fails with:
gpg: WARNING: signature digest conflict in message
gpg: Can't check signature: general error
If one uses detached signatures, the gpg correctly guess hash used
from the signature, uses that, and correctly verifies message.
If one uses clearsign signature, but without "Hash:" line, it
fails, unless the hash happens to be MD5.
Failing example looks something like:
-----BEGIN PGP SIGNED MESSAGE-----
some more cleartext
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
Would it be possible in such a case to try to deduce the hash used
from signature, before (or instead of) falling back to assuming it is
MD5 ? I see no reason why it couldn't be possible.
 Yes, I know it would work if the "Hash: SHA1" line was present
after "-----BEGIN PGP SIGNED MESSAGE-----", and while I could
easily fix it in my server, there are tons of other places where
it probably won't be fixed (long story - the software is INN's
pgpverify < 1.23)
Opinions above are GNU-copylefted.
More information about the Gnupg-devel