Signature verification problem
Thu Aug 1 03:24:02 2002
David, Werner, thanks a lot for your explanation. Adding the "Hash"
header works and it seems that I will have to test if CryptoEx' support
is worth anything...
On Wed, 2002-07-31 at 21:24, Werner Koch wrote:
> On Wed, 31 Jul 2002 14:19:16 -0400, David Shaw said:
> > I imagine it works on PGP because of "be conservative in what you
> > generate and liberal in what you accept" and so PGP double-checks the
> > claimed hash against the actual signature data in some manner.
> Easy for PGP because it works on the entire file. GnuPG can't do that
> becuase it is really happy if you feed it with a 5 gig clearssigned
> message - the signature (with the information on what hash to use)
> comes at the end.
> One way to work around this would be to setup another hash context and
> calculate a SHA-1 hash along with the MD5 one. However I am reluctant
> to do this because gpg already has to setup more than one hash context
> to cope with other PGP 2 things.
> > It could be (and should be) argued that GnuPG should do the same here,
> > but nevertheless this is a bug in CryptoEx.
> CryptoEx claims to be OpenPGP compatible but there is some evidence
> that it is only a minimal enhanced PGP thingy.
> Gnupg-users mailing list
"Life," said Marvin dolefully, "loathe it or ignore it, you can't like
it." --Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----