multiple signatures can't be checked if they differ in algorithm
Open, LowPublic
Actions

Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Edit Revisions
Mute Notifications
Award Token

Assigned To

None

Authored By

	dkg
	Jan 13 2013, 5:38 AM

Description

using all current versions of gpg, it appears that verifying a multi-signature
block can't be done correctly unless all signatures use the same signing scheme
and digest function.

This was brought to my attention by a blog post from Russ Allbery:

http://www.eyrie.org/~eagle/journal/2013-01/011.html

Event Timeline

dkg added projects: gnupg, Bug Report.Jan 13 2013, 5:38 AM

dkg added a subscriber: dkg.

I degrade this to a minor bug because gpg knows about this:

  gpg: WARNING: multiple signatures detected.  Only the first will be checked.

See this comment:
/* We can't currently handle multiple signatures of

different classes or digests (we'd pretty much have
to run a different hash context for each), but if
they are all the same, make an exception. */

multiple signatures can't be checked if they differ in algorithmOpen, LowPublicActions

Description

Event Timeline

multiple signatures can't be checked if they differ in algorithm
Open, LowPublic
Actions