[PATCH] Use preferred hashing algorithm when updating signature packets
David Shaw
dshaw at jabberwocky.com
Sun Jan 29 05:57:45 CET 2012
On Jan 28, 2012, at 11:43 PM, David Shaw wrote:
> On Jan 28, 2012, at 4:46 PM, Christian Aistleitner wrote:
>
>> Hello,
>>
>> when updating a signature packet, GnuPG reuses the hashing algorithm of the
>> original signature packet.
>> Hence, if the preferred hashing algorithm changed since the first
>> signature, the updated signature does not use the currently preferred
>> hashing algorithm.
>>
>> Kind regards,
>> Christian
>>
>> ---
>> g10/sign.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/g10/sign.c b/g10/sign.c
>> index 4cc813c..b7b4c49 100644
>> --- a/g10/sign.c
>> +++ b/g10/sign.c
>> @@ -1584,7 +1584,7 @@ update_keysig_packet( PKT_signature **ret_sig,
>> || (orig_sig->sig_class == 0x18 && !subpk))
>> return G10ERR_GENERAL;
>>
>> - if ( gcry_md_open (&md, orig_sig->digest_algo, 0 ) )
>> + if ( gcry_md_open (&md, hash_for( pksk ), 0 ) )
>
> This is not quite correct. hash_for() returns the appropriate digest for data, not for certification. If the intent is to have update_keysig_packet() use --cert-digest-algo rather than basing the signature on the existing digest, you want something like this:
>
> if ( opt.cert_digest_algo )
> digest_algo = opt.cert_digest_algo;
> else
> digest_algo = orig_sig->digest_algo;
Although, let me add - I think you're right. The updated certification should use an updated digest, if the user has selected one. It just needs to be the cert-digest-algo, rather than the digest-algo.
David
More information about the Gnupg-devel
mailing list