On Apr 14, 2009, at 9:10 PM, Ronald Cook wrote:

Hi.

I've been scouring the gnupg-users mail archives but haven't yet seen
a solution to this.

One of our clients recently upgraded their production installation of
GnuPG 1.4.5 to version 1.4.9.  They send encrypted / signed files to
us almost daily for real-time financial processing.

Prior to their upgrade, files received from them passed signature
verification and decrypted successfully in our production installation
of PGP 6.x, circa 1999-2000.  Since the upgrade, signature
verification fails.

They've not changed their key and  manual decryption / verification
works correctly through a stand-alone GnuPG 1.4.9.

It took a while for us to get them to admit to the upgrade; now they
can't recall if they had any specific command line options in place
that might not have been replicated to the new version.

Might anyone have any ideas as to anything we can suggest to them, or
any comments as to what might have changed in their process?

Feel free to request more information.  If I can provide it without
violating my employer's NPI regulations, I'll be glad to do so.

So, the decryption and verification works with GPG 1.4.9, but not with a PGP 6.x. It might be an algorithm conflict, or possibly a hashing problem. Can you tell me about what error is returned when PGP 6.x tries to process the file?

Other questions:

- are the files encrypted and signed in one piece, or are the signatures detached signatures? - is this a DSA or RSA signature? (when you did the test with 1.4.9, it would say "using DSA key" or "using RSA key" when it verified). - Can you repeat the test decrypt/verify that you did with the standalone 1.4.9, except add a "-v" to the command line. This will make GPG print out some extra information. The pieces that are most relevant to the problem are the lines that read "gpg: XXXXXX encrypted data" and "gpg: YYYYYY signature, digest algorithm ZZZZZZ". Can you send me XXXXXX, YYYYYY, and ZZZZZZ?

You might try asking your client to add "--pgp6" to their GPG command line. PGP 6 is not really completely up to the modern PGP spec (it's a good few years out of date), and --pgp6 tells GPG to try and be compatible with the older version.

David


_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to