WARNING: signature digest conflict in message ?

David Shaw dshaw at jabberwocky.com
Thu Sep 25 14:54:58 CEST 2008

On Sep 25, 2008, at 8:05 AM, Matija Nalis wrote:

> I did most of the testing with default debian Etch gnupg 1.4.6-2,
> but I've also verified that problem exists is gnupg 1.4.9-3
> The problem is if one uses clearsign format without "Hash:" line, and
> the actual hash used is *not* MD5, the "gpg --verify" fails with:
> gpg: WARNING: signature digest conflict in message
> gpg: Can't check signature: general error
> If one uses detached signatures, the gpg correctly guess hash used
> from the signature, uses that, and correctly verifies message.
> If one uses clearsign signature, but without "Hash:" line[1], it
> fails, unless the hash happens to be MD5.

This is specified in RFC-4880:

    If the "Hash" Armor Header is given, the specified message digest
    algorithm(s) are used for the signature.  If there are no such
    headers, MD5 is used.  If MD5 is the only hash used, then an
    implementation MAY omit this header for improved V2.x compatibility.

> Would it be possible in such a case to try to deduce the hash used
> from signature, before (or instead of) falling back to assuming it is
> MD5 ? I see no reason why it couldn't be possible.

Verifying a clear signature uses the Hash: header to set up the hash  
context, then the data is hashed, then the signature is read - in that  
order.  If GPG is getting the clear signatures in a stream it would  
have to buffer all the data until it finds out what the hash is by  
reading the signature, then go back and hash the data.  If the data is  
large, that may not be possible.

> [1] Yes, I know it would work if the "Hash: SHA1" line was present
>    after "-----BEGIN PGP SIGNED MESSAGE-----", and while I could
>    easily fix it in my server, there are tons of other places where
>    it probably won't be fixed (long story - the software is INN's
>    pgpverify < 1.23)

What is generating these messages in the first place?  Why not fix  
that?  I know your sample message was signed by GPG, but GPG puts the  
right Hash headers in.  Is something stripping them out?


More information about the Gnupg-devel mailing list