Page MenuHome GnuPG

Hard coded hash names make pk_sign less useful
Closed, ResolvedPublic


Release: 1.2.2


i686, GNU/Linux, gentoo


When performing a gcry_pk_sign operation, the hash methods are hard coded into the C code in pubkey.c (sexp_data_to_mpi). Thus, if a coder wishes to use another hash (which has been dynamically registered), gcry_pk_sign will return "Invalid Digest Algorithm" as an error.

By using the gcry_md_map_name() call to discover the algorithm type, the same functionality can be retained, but dynamically registered hashes can also be handled.

You can also program round this by pushing the PKCS-1 padding up to the calling program, and using a single MPI "blob" as the data to be signed, but this then violates the library layers - anyway, the blob signing is marked as legacy behaviour in the text.

I've included a small patch to pubkey.c which (I think) changes the behaviour such that it will work with all hashes.


Patch against 1.2.2 attached

Related Objects

Event Timeline

I have commited a similar fix to the SVN (-r1214).

It is in fact useful as it also allows the use of OIDs instead of the algorithm
names. If you try this and provide a string with the S-expression, recall that
items a leading digit need to be prefixed with the length: "5:1.2.3" - or use an
old libgcrypt kludge and prefix the OID with oid.: "oid.1.2.3:.