gpg - Is the MDC check redundant if the file is signed?

Question

I understand that gpg 1.4.9 computes a MDC code by default. According to my research this corresponds to to Sym. Encrypted and Integrity Protected Data Packet (tag 18) in the PGP spec. If the file is signed doesn't this also provide modification protection (in addition to providing proof of sender's identity)?

I think this might be the case because I wrote code using the BouncyCastle API and and noticed that when one verified a signed file, a signature is computed from the encrypted data stream and compared against the one recorded in the file.

I'm trying to understand whether there is some redundancy here or if these two mechanisms serve different purposes.

Answer 1

Yes, all versions of GPG signatures provide modification protection. When you sign a document, it creates a hash of the document (which algorithm it uses depends on the preferences you have set). The hash is then encoded using your private key. Anybody can use your public key to decode the hash, assuring them that you are the one who sent the message. In addition, they know that the message has not been altered in the time after you signed it.

In addition, when encrypting a document, whether you sign it or not, an MDC hash is created. This is to provide modification protection in case the document is not signed. The RFC 4880 gives an explanation of why this may be useful:

The obvious way to protect or authenticate an encrypted block is to digitally sign it. However, many people do not wish to habitually sign data, for a large number of reasons beyond the scope of this document. Suffice it to say that many people consider properties such as deniability to be as valuable as integrity.

It seems that if you both encrypt and sign a message, then you have redundancy, although the signature gives you more information, assuring you about the identity of the sender in addition to the integrity of the message.