gpg: WARNING: message was not integrity protected - MDC

David Shaw dshaw at jabberwocky.com
Thu Jan 31 21:41:06 CET 2013


On Jan 31, 2013, at 8:29 AM, perhop <per.hopstadius at logica.com> wrote:

> Hi
> 
> This has been discussed before and I have an question referring to this.
> Short summary:
> 
> A customer encrypts data with our public key, we receive the file and we
> attempt to decrypt it. The decrypt step seems to work but we get a warning
> message while validating the file (gpg: WARNING: message was not integrity
> protected).  The question is how to avoid the warning message.
> 
> After reading the forum I believe this has to do with mdc, that mdc is not
> forced in this case and that is causing the warning message.
> 
> I would like to know how you enable mdc. Do I tell the customer to force mdc
> or is that controlled from my side, automatic controlled depending on what
> cipher method I use? 
> We run GPG version 1.4.9 and customer PGP 7.1

Note that the message you see is just a warning.  It does not affect decryption - it's just telling you that the sender didn't protect the message.

There are several ways to enable MDC.  The most common way is a flag on your key that instructs the customer's PGP to enable MDC (i.e. "I can handle MDC, so you're free to use it").  So the first thing you should do is check your key to see if it has the MDC flag on it.  To do this, run:

  gpg --edit-key (yourkey)

and enter "showpref" at the prompt.  The final line is "Features".  If "MDC" is on that line, then you have the MDC flag, and anyone communicating with you should use a MDC if they support it.  That said, I see that your customer is using PGP 7.1, which is incredibly old at this point.  I don't recall offhand if it supports MDC or not (I have a vague recollection that PGP only started supporting it in PGP 8 - which is itself very old at this point).

If your key has the MDC flag, then the problem is most likely that the customer's PGP doesn't support MDC.  Since you probably can't upgrade the customer, you can use the --no-mdc-warning on your side.  This doesn't change the fact that the message you got isn't protected, but does prevent the warning from being printed.

David




More information about the Gnupg-users mailing list