Signature verification problem

David Shaw dshaw@jabberwocky.com
Wed Jul 31 22:10:02 2002


On Wed, Jul 31, 2002 at 09:24:12PM +0200, Werner Koch wrote:
> On Wed, 31 Jul 2002 14:19:16 -0400, David Shaw said:

> One way to work around this would be to setup another hash context and
> calculate a SHA-1 hash along with the MD5 one.  However I am reluctant
> to do this because gpg already has to setup more than one hash context
> to cope with other PGP 2 things.
> 
> > It could be (and should be) argued that GnuPG should do the same here,
> > but nevertheless this is a bug in CryptoEx.
> 
> CryptoEx claims to be OpenPGP compatible but there is some evidence
> that it is only a minimal enhanced PGP thingy.

Perhaps it's worth an error message if the hash specified in the armor
header does not match the hash specified in the signature.  The same
thing could happen with the onepass signatures as well.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson