? problem with verification of pgp armored signed files using sha-256 ?

vedaal at hush.com vedaal at hush.com
Sun Mar 27 16:12:51 CEST 2005 

have recently looked at an old pgpckt version,
and found that gnupg 1.4.1 does not verify armored signed files 
done in ckt

(i don't remember which was the last version of gnupg that did 
verify it, but do remember that it was not a problem in earlier 
versions)

here is the gnupg output, followed by the actual armored signed 
file:

$ gpg t/cktasf.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: 6.5.8ckt 9b3
gpg: armor header: Comment: Acts of Kindness better the World, and 
protect the Soul
:compressed packet: algo=1
:signature packet: algo 1, keyid 5AA20C866A589A97
        version 3, created 1111931695, md5len 5, sigclass 01
        digest algo 8, begin of digest 61 c1
        data: [4095 bits]
:literal data packet:
        mode t (74), created 2516582400, name="",
        raw data: 50 bytes
gpg: original file name=''
gpg: old style (PGP 2.x) signature
gpg: Signature made 03/27/05 08:54:55 using RSA key ID 6A589A97
gpg: WARNING: signature digest conflict in message
gpg: Can't check signature: general error


here is the armored signed file:

-----BEGIN PGP MESSAGE-----
Version: 6.5.8ckt 9b3
Comment: Acts of Kindness better the World, and protect the Soul

owEBUgKt/YkCFQMFAUJGuy9aogyGalialwEIYcEP/1PU5NdNgRjpJvvQFJ/F2HXE
hnuzkdFQrSAcBJdsxCjll0mU63A5chwWXXRfFxz8jcvY37xfOcIzgz9wUrv6qjRG
UVsUyhBehATHFknw9eU4yfwfGtAmjs3vSq/4N77NZju5SfV9otAYuHRNMyI4jh5U
kPwCI/WmqtjNHO3vLHs+b8USlFilyjPoV/ccKFWgyMjvchniTIcfZ4j5RuzSeoPE
MzKuDk2qdKOA/QM5P1FP0VMYztLU9Cc4zUsXUgdQI/odVGi3fkAHrOyeqDoOoYD2
7YxJRRRBcdDbz01XazYH4ZkoC//TEgXVzKvJhmJbXpMzwTkSEi9qi49VUqtQFiPD
Jp4RVcqQd23RhbL3gzt9pUISsMWFhD4MedBgtEuVAfXlUsKsm4n3boqAyz84dYgV
WljI1po1mIv8di3MT0QIz1LK9WE6jZz+AUl1BPNozQGI41591kUnDVJW00LaPibS
cpIZ4W+UDozdgN6Qpa/v1hPeFZjES2/ZwwRf2KSLPgDppiQvk2cmgs3brkkYwxc0
LVKgnXMkbBf0z5EgioejmuNJJemRk2TdZmG31/LB1DdO5+s8jd32hPl8tTDG97So
hDrqduAqjPTmoIZzGwJTgBke7JZs7JVPp0avwzlVMiPpvbogQpxAB5XAVG3AVj5r
jXfV+CEvuwx9Ng4lSNVzrDh0AJYAAAB0ZXN0IGFybW9yZWQgc2lnbmVkIG1lc3Nh
Z2UNCmNrdDliMyB2NGtleSBzaGEyNTYNCg==
=1yaA
-----END PGP MESSAGE-----

(official)pgp9beta does not have the pgptools easilyaccessible,
so i couldn't create an armored signed file there to test,
so am reporting this for further testing / followup

i suspect that it may be limited to the old ckt builds,
but there may be a potential incompatibility with verification of 
armored signed files done in pgp9 too

tia,
vedaal



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

More information about the Gnupg-users mailing list