gcry_pk_hash_verify() crashes when the data_tmpl argument does not contain a %s placeholder for the hash algorithm, but instead is explicitly specified.
This contradicts the documentation, which says:
See gcry_pk_hash_sign, for the explanation of handle for hash, data-tmpl and ctx.
The documentation for gcry_pk_hash_sign() says both methods are supported:
A template should include "(hash %s %b)" or "(hash ALGONAME %b)". For the former case, "%s" is substituted by the string of algorithm of gcry_md_get_algo (hd) and when gcry_md_read is called, ALGO=0 is used internally. For the latter case, hash algorithm by ALGONAME is used when gcry_md_read is called internally.
I'm attaching a reproducer for this issue: