[PATCH] Use preferred hashing algorithm when updating signature packets
David Shaw
dshaw at jabberwocky.com
Sun Jan 29 05:43:19 CET 2012
On Jan 28, 2012, at 4:46 PM, Christian Aistleitner wrote:
> Hello,
>
> when updating a signature packet, GnuPG reuses the hashing algorithm of the
> original signature packet.
> Hence, if the preferred hashing algorithm changed since the first
> signature, the updated signature does not use the currently preferred
> hashing algorithm.
>
> Kind regards,
> Christian
>
> ---
> g10/sign.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/g10/sign.c b/g10/sign.c
> index 4cc813c..b7b4c49 100644
> --- a/g10/sign.c
> +++ b/g10/sign.c
> @@ -1584,7 +1584,7 @@ update_keysig_packet( PKT_signature **ret_sig,
> || (orig_sig->sig_class == 0x18 && !subpk))
> return G10ERR_GENERAL;
>
> - if ( gcry_md_open (&md, orig_sig->digest_algo, 0 ) )
> + if ( gcry_md_open (&md, hash_for( pksk ), 0 ) )
This is not quite correct. hash_for() returns the appropriate digest for data, not for certification. If the intent is to have update_keysig_packet() use --cert-digest-algo rather than basing the signature on the existing digest, you want something like this:
if ( opt.cert_digest_algo )
digest_algo = opt.cert_digest_algo;
else
digest_algo = orig_sig->digest_algo;
David
More information about the Gnupg-devel
mailing list