Page MenuHome GnuPG

multiple signatures can't be checked if they differ in algorithm
Open, LowPublic


using all current versions of gpg, it appears that verifying a multi-signature
block can't be done correctly unless all signatures use the same signing scheme
and digest function.

This was brought to my attention by a blog post from Russ Allbery:

Event Timeline

werner lowered the priority of this task from Normal to Low.Sep 21 2015, 9:20 AM
werner added a subscriber: werner.

I degrade this to a minor bug because gpg knows about this:

  gpg: WARNING: multiple signatures detected.  Only the first will be checked.

See this comment:
/* We can't currently handle multiple signatures of

different classes or digests (we'd pretty much have
to run a different hash context for each), but if
they are all the same, make an exception. */