bcgit
OpenPGP: Signature digest prefix is not checked
It was pointed out on the IETF openpgp mailing list, that some implementations do not properly check the signature digest prefix.
It turns out, Bouncy Castle - and by extend PGPainless - is affected by this as well, check results of PGPainless here (check marks in the second and third row of the table mean that signatures with corrupted digest prefix are not rejected).
As can be seen from the discussion on the mailing list thread, it is not totally clear how implementations are expected to behave in such situation, but I figured it'd be worth pointing it out here.
Are you interested in a patch that adds digest prefix checking (not sure how complicated that would be to add)?
So the prefix is really there to allow people to fail the signature without having to do a full signature calculation, I'm not sure if it really buys us anything (these days, when it was originally done it was probably quite an optimization, in the grand scheme of things signature verification is usually a cheap operation though).
I guess it does provide another mechanism to reject a signature (which I guess what the email is commenting on about), but as the writer says, other than mentioning the "feature" there's no instruction on what to do if the signature is otherwise valid. Usually I would go with what GPG does in a situation like this.
