Hi there,
Firstly, I should warn you this is the first set of patches I've
submitted for any software ever, so please accept my apologies if
something is out of order. :)
With all the recent SHA-1 related news, I decided to test gpg to ensure
that updated self-signatures used the algorithm specified in
cert-digest-algo. I discovered that gpg takes the digest algorithm from
the previous self-signature. This patch allows this behaviour to be
overridden by using the digest specified by cert-digest-algo. I will be
honest and say that I haven't read the full PGP specification, so this
might be against it so feedback on this would be welcome.
I have included 2 patches, one against 1.4.9 for people still using
1.4.9 who wish to patch, and a patch against the current SVN. Both
patches have been tested to the point that they produce valid signatures
using an RSA key that can be checked with --check-sigs. The patches were
applied to the current source packages of gnupg and gnupg2 in Ubuntu
Intrepid.
I welcome your feedback on these patches.
Regards
J Cruickshanks
Firstly, I should warn you this is the first set of patches I've
submitted for any software ever, so please accept my apologies if
something is out of order. :)
With all the recent SHA-1 related news, I decided to test gpg to ensure
that updated self-signatures used the algorithm specified in
cert-digest-algo. I discovered that gpg takes the digest algorithm from
the previous self-signature. This patch allows this behaviour to be
overridden by using the digest specified by cert-digest-algo. I will be
honest and say that I haven't read the full PGP specification, so this
might be against it so feedback on this would be welcome.
I have included 2 patches, one against 1.4.9 for people still using
1.4.9 who wish to patch, and a patch against the current SVN. Both
patches have been tested to the point that they produce valid signatures
using an RSA key that can be checked with --check-sigs. The patches were
applied to the current source packages of gnupg and gnupg2 in Ubuntu
Intrepid.
I welcome your feedback on these patches.
Regards
J Cruickshanks