Wrong signature hash detection?
David Shaw
dshaw at jabberwocky.com
Fri May 7 05:19:28 CEST 2010
On May 6, 2010, at 10:43 PM, Hauke Laging wrote:
> Hello,
>
> I have created signatures with different keys for a JPEG file. You can find
> both the graphics file and the signatures on this web page:
>
> http://www.hauke-laging.de/organspende.html
>
> If I check the signatures, gpg2 2.0.15 (and at least .14, too) returns the
> wrong hash (unless I misunderstand something):
>
> start cmd:> LC_ALL=C gpg --verify --verbose organspende.7f637e7b.1.sig
> organspende.jpg
> Version: GnuPG v2.0.14 (GNU/Linux)
> gpg: armor header:
> gpg: Signature made Fri May 7 03:48:42 2010 CEST
> gpg: using RSA key 0x7F637E7B
> gpg: using PGP trust model
> gpg: Good signature from "Hauke Laging (Dieser Schlüssel ist wirklich sicher)
> <smartcard at hauke-laging.de>"
> gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html
>
> gpg: binary signature, digest algorithm SHA1
>
> It says SHA1 though according to my understanding
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu
> cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSnFZfWs
> YgvqeYYGHUeLIQzfGCbxD2VE0CzSQPNN3GabpsXF2DQ5xUh25n+9pu34gPAMvD6v
> QKM8B31vkSj/KEuCZUXMOBiEDVBQn6ypR9ZmOSo991Lm84fIaOhx8rQ0d1kWxWuH
> CRHemF49FSCxF/5CMcx+HMWjN6lKhQFK3z61In23Xjmf+dRFYxbPkInqu4tw6q4b
> OODVVsK8FhCWz2aUNBSgWzwhmwwCD1R4/IblMejrStsbT0tFNzVbg3KKIQ7bHUD5
> k++hjk0K332ZXnR4X9jZku7FPpgAtp44/k0Op+yGZqW6RW6zu5s5fFPnkijef6U=
> =eaxc
> -----END PGP SIGNATURE-----
>
> is obviously not an SHA1 signature.
I think there is a misunderstanding. This is absolutely a SHA1 signature. Why do you think it isn't?
David
More information about the Gnupg-users
mailing list