New submission from micah <[email protected]>:
crypto.rb, line 41 has this:
envelope.header["Content-Type"] = 'multipart/signed;
protocol=application/pgp-signature; micalg=pgp-sha1'
that is no good if my hash algorithm is *not* sha1, which it is not. in fact,
what that creates are broken signatures, which some clients will complain about.
in fact, enigmail for one complains about them because gpg complains:
/usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 --verify
gpg: Signature made Wed 09 Dec 2009 01:03:13 PM EST using RSA key ID 2861A790
gpg: WARNING: signature digest conflict in message
gpg: Can't check signature: general error
Sup should detect the hashing algorithm and set it properly, rather than
hardcoding it.
RFC 3156 reads:
The "micalg" parameter for the "application/pgp-signature" protocol
MUST contain exactly one hash-symbol of the format "pgp-<hash-
identifier>", where <hash-identifier> identifies the Message
Integrity Check (MIC) algorithm used to generate the signature.
Hash-symbols are constructed from the text names registered in [1] or
according to the mechanism defined in that document by converting the
text name to lower case and prefixing it with the four characters
"pgp-".
Currently defined values are "pgp-md5", "pgp-sha1", "pgp-ripemd160",
"pgp-md2", "pgp-tiger192", and "pgp-haval-5-160".
----------
messages: 80
nosy: micah
priority: bug
ruby_version: 1.8
status: unread
sup_version: 0.9
title: sup hardcodes the micalg in signatures
_________________________________________
Sup issue tracker <[email protected]>
<http://masanjin.net/sup-bugs/issue33>
_________________________________________
_______________________________________________
Sup-devel mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/sup-devel
