Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP
dshaw at jabberwocky.com
Wed Apr 15 05:03:31 CEST 2009
On Apr 14, 2009, at 9:10 PM, Ronald Cook wrote:
> I've been scouring the gnupg-users mail archives but haven't yet seen
> a solution to this.
> One of our clients recently upgraded their production installation of
> GnuPG 1.4.5 to version 1.4.9. They send encrypted / signed files to
> us almost daily for real-time financial processing.
> Prior to their upgrade, files received from them passed signature
> verification and decrypted successfully in our production installation
> of PGP 6.x, circa 1999-2000. Since the upgrade, signature
> verification fails.
> They've not changed their key and manual decryption / verification
> works correctly through a stand-alone GnuPG 1.4.9.
> It took a while for us to get them to admit to the upgrade; now they
> can't recall if they had any specific command line options in place
> that might not have been replicated to the new version.
> Might anyone have any ideas as to anything we can suggest to them, or
> any comments as to what might have changed in their process?
> Feel free to request more information. If I can provide it without
> violating my employer's NPI regulations, I'll be glad to do so.
So, the decryption and verification works with GPG 1.4.9, but not with
a PGP 6.x. It might be an algorithm conflict, or possibly a hashing
problem. Can you tell me about what error is returned when PGP 6.x
tries to process the file?
- are the files encrypted and signed in one piece, or are the
signatures detached signatures?
- is this a DSA or RSA signature? (when you did the test with 1.4.9,
it would say "using DSA key" or "using RSA key" when it verified).
- Can you repeat the test decrypt/verify that you did with the
standalone 1.4.9, except add a "-v" to the command line. This will
make GPG print out some extra information. The pieces that are most
relevant to the problem are the lines that read "gpg: XXXXXX encrypted
data" and "gpg: YYYYYY signature, digest algorithm ZZZZZZ". Can you
send me XXXXXX, YYYYYY, and ZZZZZZ?
You might try asking your client to add "--pgp6" to their GPG command
line. PGP 6 is not really completely up to the modern PGP spec (it's
a good few years out of date), and --pgp6 tells GPG to try and be
compatible with the older version.
More information about the Gnupg-users