Signature verification fails with GPG 1.4.0
Olaf Gellert
og at pre-secure.de
Wed Aug 17 11:49:43 CEST 2005
Hi all,
I tried to verify the detached signature for a file
using GPG 1.4.0 (on SuSE 9.3). GPG told me that it was
a bad signature:
> gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
Output:
gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
gpg: BAD signature from "Prelude Hybrid IDS Archives Verification Key
<ftpadmin at prelude-ids.org>"
Well, right now I installed GPG 1.4.2 and the signature
is validated successfully:
> gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
gpg: Good signature from "Prelude Hybrid IDS Archives Verification Key
<ftpadmin at prelude-ids.org>"
Some bug that was fixed recently? This is a little
bit weird... The files were:
http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz
http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz.sig
and they were transferred correctly (otherwise gpg 1.4.2 should
fail to validate the signature, too). Could this be related to
the signature being a "textmode" signature (on a binary file)?
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og at pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
More information about the Gnupg-users
mailing list