Bug #126994 for Crypt-OpenPGP: Fails to verify signatures made by GnuPG v2; SHA-2 and RIPEMD-160 also broken

It seems that Crypt::OpenPGP handles clearsigned signatures very poorly. We first discovered this bug when working on Module::Signature (https://github.com/audreyt/module-signature/issues/23) In short, Crypt::OpenPGP fails to verify all signatures generated by gpg2, as well as gpg1 signature using RIPEMD-160 and SHA-2. The key used to sign is just a throwaway 1024-bit RSA key. Test snippets: $ for alg in MD5 SHA{1,224,256,384,512} RIPEMD160; do echo "Hello World" | gpg1 --default-key 4E8A44BB --clearsign --openpgp --digest-algo $alg --passphrase foobar --quiet --batch > SIGNATURE && echo -n "$alg: " && perl test.pl ; done gpg: WARNING: digest algorithm MD5 is deprecated MD5: Success SHA1: Success SHA224: Failure SHA256: Failure SHA384: Failure SHA512: Failure RIPEMD160: Failure $ for alg in MD5 SHA{1,224,256,384,512} RIPEMD160; do echo "Hello World" | gpg --default-key 4E8A44BB --clearsign --openpgp --digest-algo $alg --passphrase foobar --quiet --batch > SIGNATURE && echo -n "$alg: " && perl test.pl ; done gpg: WARNING: digest algorithm MD5 is deprecated MD5: Message hash does not match signature checkbytes SHA1: Message hash does not match signature checkbytes SHA224: Message hash does not match signature checkbytes SHA256: Message hash does not match signature checkbytes SHA384: Message hash does not match signature checkbytes SHA512: Message hash does not match signature checkbytes RIPEMD160: Message hash does not match signature checkbytes test.pl: /* ----------------------------------------------------------- */ #!/usr/bin/perl use Crypt::OpenPGP; my $pgp = Crypt::OpenPGP->new( Compat => "GnuPG", ); my $res = $pgp->verify(SigFile => "./SIGNATURE"); if (defined $res) { if ($res) { print "Success\n"; } else { print "Failure\n"; } } else { print $pgp->errstr; } /* ----------------------------------------------------------- */ $ uname -a Linux bionic-vm 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ perl -v | awk 'NR==2 {print $0}' This is perl 5, version 26, subversion 1 (v5.26.1) built for x86_64-linux-gnu-thread-multi $ gpg --version | head -n2 gpg (GnuPG) 2.2.4 libgcrypt 1.8.1 $ gpg1 --version | head -n1 gpg (GnuPG) 1.4.22 $ perl -MCrypt::OpenPGP -le 'print $Crypt::OpenPGP::VERSION' 1.12 ======== Best regards Niklas Holm