un-trusting MD5 in gpg [was: Re: removing SHA1 from digest preference list]
dshaw at jabberwocky.com
Mon May 4 04:44:04 CEST 2009
On May 3, 2009, at 8:48 PM, Daniel Kahn Gillmor wrote:
> Gnupg warns when *creating* md5 signatures, but that doesn't protect
> against signatures that already exist, and it doesn't seem to protect
> against interpreting or trusting signatures that rely on this
> known-broken digest algorithm.
> To be clear: i'm not looking to tell gnupg today "do not trust SHA1
> digests," but i *am* looking to tell gnupg today "do not trust MD5
> digests". I'm willing to take that risk of cutting myself off from
> older implementations with respect to MD5. And i'm interested in
> what the consequences will be of taking such an action.
There is no way to do this aside from modifying the source. It's a
interesting idea, though. At a minimum, it would imply cutting
yourself off from most, if not all, PGP 2.x support. I somewhat
suspect it would also affect some versions of PGP that are newer than
PGP 2.x, but yet aren't quite OpenPGPish (say, PGP 5 and 6 as they can
sometimes use old format packets that might expect MD5). It would
certainly break the GPG selftest as that expects MD5 to be present in
a number of places.
Funny, now that I think about it more, it doesn't really break all
that much. As a community, we've done a pretty good job of removing
MD5 from our lives.
The main problem is that the GPG code isn't really built with the
concept that MD5 might suddenly not be available. That's changeable,
of course (the selftest can be fixed, etc), but it's not trivial.
> Suggestions for how to go about doing this with gnupg?
Try this patch (against the 1.4 branch):
--- g10/sig-check.c (revision 4987)
+++ g10/sig-check.c (working copy)
@@ -60,6 +60,9 @@
PKT_public_key *pk = xmalloc_clear( sizeof *pk );
+ return G10ERR_BAD_SIGN;
if( (rc=check_digest_algo(sig->digest_algo)) )
; /* we don't have this digest */
That will artificially cause any signature made with MD5 to not
verify. Alternately (and a far more drastic change), in cipher/md.c
there is a function load_digest_module(). In it there are two lines
if (!new_list_item (DIGEST_ALGO_MD5, md5_get_info))
Remove or comment out those two lines. This second method actually
removes MD5 completely from GPG. It will likely break in more places
than the signature hack (for example --print-mds won't work, etc).
I'd be very interested to hear how well you get on without MD5.
More information about the Gnupg-devel