Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP

David Shaw dshaw at jabberwocky.com
Wed Apr 15 05:03:31 CEST 2009 

On Apr 14, 2009, at 9:10 PM, Ronald Cook wrote:

> Hi.
>
> I've been scouring the gnupg-users mail archives but haven't yet seen
> a solution to this.
>
> One of our clients recently upgraded their production installation of
> GnuPG 1.4.5 to version 1.4.9.  They send encrypted / signed files to
> us almost daily for real-time financial processing.
>
> Prior to their upgrade, files received from them passed signature
> verification and decrypted successfully in our production installation
> of PGP 6.x, circa 1999-2000.  Since the upgrade, signature
> verification fails.
>
> They've not changed their key and  manual decryption / verification
> works correctly through a stand-alone GnuPG 1.4.9.
>
> It took a while for us to get them to admit to the upgrade; now they
> can't recall if they had any specific command line options in place
> that might not have been replicated to the new version.
>
> Might anyone have any ideas as to anything we can suggest to them, or
> any comments as to what might have changed in their process?
>
> Feel free to request more information.  If I can provide it without
> violating my employer's NPI regulations, I'll be glad to do so.

So, the decryption and verification works with GPG 1.4.9, but not with  
a PGP 6.x.  It might be an algorithm conflict, or possibly a hashing  
problem.  Can you tell me about what error is returned when PGP 6.x  
tries to process the file?

Other questions:

-  are the files encrypted and signed in one piece, or are the  
signatures detached signatures?
-  is this a DSA or RSA signature?  (when you did the test with 1.4.9,  
it would say "using DSA key" or "using RSA key" when it verified).
-  Can you repeat the test decrypt/verify that you did with the  
standalone 1.4.9, except add a "-v" to the command line.  This will  
make GPG print out some extra information.  The pieces that are most  
relevant to the problem are the lines that read "gpg: XXXXXX encrypted  
data" and "gpg: YYYYYY signature, digest algorithm ZZZZZZ".   Can you  
send me XXXXXX, YYYYYY, and ZZZZZZ?

You might try asking your client to add "--pgp6" to their GPG command  
line.  PGP 6 is not really completely up to the modern PGP spec (it's  
a good few years out of date), and --pgp6 tells GPG to try and be  
compatible with the older version.

David

More information about the Gnupg-users mailing list