Signature verification problem

Konrad Podloucky konrad@crunchy-frog.org
Thu Aug 1 03:24:02 2002


--=-InKZsJRDtt08F2rloyeX
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

David, Werner, thanks a lot for your explanation. Adding the "Hash"
header works and it seems that I will have to test if CryptoEx' support
is worth anything...

Thanx again,
	Konrad


On Wed, 2002-07-31 at 21:24, Werner Koch wrote:
> On Wed, 31 Jul 2002 14:19:16 -0400, David Shaw said:
>=20
> > I imagine it works on PGP because of "be conservative in what you
> > generate and liberal in what you accept" and so PGP double-checks the
> > claimed hash against the actual signature data in some manner.
>=20
> Easy for PGP because it works on the entire file.  GnuPG can't do that
> becuase it is really happy if you feed it with a 5 gig clearssigned
> message - the signature (with the information on what hash to use)
> comes at the end.
>=20
> One way to work around this would be to setup another hash context and
> calculate a SHA-1 hash along with the MD5 one.  However I am reluctant
> to do this because gpg already has to setup more than one hash context
> to cope with other PGP 2 things.
>=20
> > It could be (and should be) argued that GnuPG should do the same here,
> > but nevertheless this is a bug in CryptoEx.
>=20
> CryptoEx claims to be OpenPGP compatible but there is some evidence
> that it is only a minimal enhanced PGP thingy.
>=20
>=20
> Shalom-Salam,
>=20
>    Werner
>=20
>=20
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
--=20
"Life," said Marvin dolefully, "loathe it or ignore it, you can't like
it."      --Douglas Adams, "The Hitchhiker's Guide to the Galaxy"

--=-InKZsJRDtt08F2rloyeX
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iD8DBQA9SI4KbMSf/LrLCGcRArz7AJsEvfqTpIGNgJlZgjDfljA4f6dVUQCfbATi
iti8mdrqKe61dBTW+1lchFE=
=kRDh
-----END PGP SIGNATURE-----

--=-InKZsJRDtt08F2rloyeX--