Signature verification problem

Konrad Podloucky
Thu Aug 1 03:24:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

David, Werner, thanks a lot for your explanation. Adding the "Hash"
header works and it seems that I will have to test if CryptoEx' support
is worth anything...

Thanx again,

On Wed, 2002-07-31 at 21:24, Werner Koch wrote:
> On Wed, 31 Jul 2002 14:19:16 -0400, David Shaw said:
> > I imagine it works on PGP because of "be conservative in what you
> > generate and liberal in what you accept" and so PGP double-checks the
> > claimed hash against the actual signature data in some manner.
> Easy for PGP because it works on the entire file.  GnuPG can't do that
> becuase it is really happy if you feed it with a 5 gig clearssigned
> message - the signature (with the information on what hash to use)
> comes at the end.
> One way to work around this would be to setup another hash context and
> calculate a SHA-1 hash along with the MD5 one.  However I am reluctant
> to do this because gpg already has to setup more than one hash context
> to cope with other PGP 2 things.
> > It could be (and should be) argued that GnuPG should do the same here,
> > but nevertheless this is a bug in CryptoEx.
> CryptoEx claims to be OpenPGP compatible but there is some evidence
> that it is only a minimal enhanced PGP thingy.
> Shalom-Salam,
>    Werner
> _______________________________________________
> Gnupg-users mailing list
"Life," said Marvin dolefully, "loathe it or ignore it, you can't like
it."      --Douglas Adams, "The Hitchhiker's Guide to the Galaxy"

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part