General Error while checking message signature (Maybe I should has at Enigmail list)

Robert J. Hansen rjh at sixdemonbag.org
Thu Feb 12 17:09:59 CET 2009


Robert J. Hansen wrote:
> I haven't done any checking into the matter, so please consider this
> only a possibility.

A follow-up:



gpg: using character set `utf-8'
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v2.0.10 (GNU/Linux)
:signature packet: algo 1, keyid CA3CCC060F278D6D
	version 4, created 1234446326, md5len 0, sigclass 0x00
	digest algo 3, begin of digest 15 10
	hashed subpkt 2 len 4 (sig created 2009-02-12)
	subpkt 16 len 8 (issuer key ID CA3CCC060F278D6D)
	data: [1023 bits]
Detached signature.
Please enter name of data file: Desktop/malte.eml
gpg: Signature made Thu Feb 12 08:45:26 2009 EST using RSA key ID 0F278D6D
gpg: BAD signature from "Malte Gell <malte.gell at gmx.de>"
gpg: binary signature, digest algorithm RIPEMD160



... So according to GnuPG, the sig is using RIPEMD160.  But ta-da, look
at the message header (slightly edited for readability):



Content-Type: multipart/signed; ...
	protocol="application/pgp-signature"; micalg=pgp-sha1



The message declares it's using SHA1, the message actually uses
RIPEMD160.  Presto, instant conflict.  GnuPG correctly flags the message
as being suspect, since the message is inconsistent.




More information about the Gnupg-users mailing list