Upgrade from GnuPG 1.4.5 to 1.4.9 breaks signature verification in PGP

Robert J. Hansen rjh at sixdemonbag.org
Wed Apr 15 05:45:52 CEST 2009


Faramir wrote:
> Maybe they need to force compatibility with PGP 6.x... I recall
> recently there was some talk about the length of supported hash
> algorithms in PGP 6.x, but it was in another list (PGP-Basics list maybe?).

IIRC, it was regarding John Moore's signatures failing to verify under
PGP 8.x.  This was due to John using SHA512 as a signature algorithm,
and PGP 8.x not supporting that algorithm.

As David says, PGP 6.x is long in the tooth.  It's a decade old at this
point -- more; I think it came out in '98.  IMO, it ought be abandoned
for security reasons.

It was written in '97-'98.  That means it predates even Windows 98.
Windows has changed /enormously/ since then.  Neither Network Associates
nor PGP Corporation ever certified PGP 6.x for use on Windows 2000
machines, and now that we've seen XP come and go, are seeing Vista get
deployed, and have Windows 7 on the way...

... well.

You have to ask some questions.  What are the odds that something PGP
6.x depends upon will have changed in some subtle way over the last ten
years?  And do you really want to take that risk?





More information about the Gnupg-users mailing list