Patch for T1644

Rainer Perske rainer.perske at
Fri Oct 20 14:05:09 CEST 2017

Hello all

Werner Koch asked me to post it here:

As described in my report T1644, it is possible that multiple 
certificates exist with the same Distinguished Name and the same key. 
In this case, verifying S/MIME signatures and other actions fail with 
"certificate not found: Ambiguous name". For details see the bug 

To circumvent the problem, I am patching GnuPG since 2014 so that in 
this case the newest of the ambiguous certificates is used.

This is not an ultimate solution of the problem: You should try every 
certificate with the same DN until verification succeeds or until all 
certificates fail, and if multiple certificates of a chain are 
ambiguous you even have to check every combination. You may even 
consider checking the keyUsage attributes of the ambiguous certificates 
to reduce the number of combinations.

But in the existing case of the certificates in the German Research 
Network (DFN) PKI where the newest one is the valid one and all 
ambiguous certificates have the same keyUsage attributes, this patch 
has proven to be sufficient over the last three years.

With every GnuPG update, I have adapted the patch, luckily I never 
needed to change anything except line numbers.

See attachment.

Hope this helps you.

Thank you all for your great work :-)

Best greetings
Rainer Perske
System operations dept. and director of the certification authority (WWUCA)
Center for Information Processing (university computer center)

Westfälische Wilhelms-Universität
Zentrum für Informationsverarbeitung
Rainer Perske
Röntgenstraße 7-13
48149 Münster

phone: +49 251 83-31582
fax: +49 251 83-31555
e-mail: rainer.perske at
office: room 006, Röntgenstraße 11
site map:

Certification Authority of the University of Münster (WWUCA):
phone: +49 251 83-31590
fax: +49 251 83-31555
e-mail: ca at

Center for Information Processing:
phone: +49 251 83-31600 (Mon-Fri 7:30-17:30)
fax: +49 251 83-31555
e-mail: ziv at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.2.0.T1644.diff
Type: text/x-patch
Size: 5534 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6807 bytes
Desc: S/MIME cryptographic signature
URL: <>

More information about the Gnupg-devel mailing list