un-trusting MD5 in gpg [was: Re: removing SHA1 from digest preference list]
David Shaw
dshaw at jabberwocky.com
Mon May 4 05:11:44 CEST 2009
On May 3, 2009, at 10:44 PM, David Shaw wrote:
>
>> Suggestions for how to go about doing this with gnupg?
>
> Try this patch (against the 1.4 branch):
Better patch:
Index: g10/sig-check.c
===================================================================
--- g10/sig-check.c (revision 4987)
+++ g10/sig-check.c (working copy)
@@ -60,6 +60,9 @@
PKT_public_key *pk = xmalloc_clear( sizeof *pk );
int rc=0;
+ if(sig->digest_algo==DIGEST_ALGO_MD5)
+ return G10ERR_BAD_SIGN;
+
if( (rc=check_digest_algo(sig->digest_algo)) )
; /* we don't have this digest */
else if((rc=check_pubkey_algo(sig->pubkey_algo)))
@@ -522,6 +525,10 @@
sig = node->pkt->pkt.signature;
algo = sig->digest_algo;
+ if(algo==DIGEST_ALGO_MD5)
+ return G10ERR_BAD_SIGN;
+
+
/* Check whether we have cached the result of a previous signature
check. Note that we may no longer have the pubkey or hash
needed to verify a sig, but can still use the cached value. A
David
More information about the Gnupg-devel
mailing list