gpg --verify hangs on malformed signature

Werner Koch wk at
Wed Jul 22 10:07:09 CEST 1998

Steffen Ullrich <ccrlphr at> writes:

> Sorry, but the patch doesn't help. Looking at the debug messages I think here is the one 
> who shows the problem first:
> 	gpg: DBG: armor-filter: control: 3
> 	gpg: CRC error; d8b879 - 826da9
> 	gpg: DBG: parse_packet(iob=6): type=4 length=604044300
> 	                                            ^^^^^^^^^^^^

I noticed that.  The reason is that the (armored) data is scrambled
and the parsing codes sees a packet of this length.  Yes, my patch is
not good:  skip_rest does not return an error code and the error
at the end of parse is only done if the parsingfunction returns with
-1; which it does not.  We should change the line after the leave
label in parse() to:

	if( !rc && iobuf_error(inp) )
		rc = ...

I think I should add some test cases for invalid data.

> 	gpg: WARNING: This key is not certified with a trusted signature!
> 	gpg: There is no indication that the signature belongs to the owner.
> when I vaildate the valid signature of a mail. I imported the foreign key, signed it and now I would think
> if I signed the key it should be trusted - or whom should I trust if not me?

Can you check this again with option "--debug 256"?  Anyway I'm
currently rewriting all this stuff.

> BTW, did you know that the german division of Network Associates (which know owns PGP) charges 3049,-
> DM for a 10 user License? They still give you only the NT and Mac version, but starting with 10
> users you are allowed to use the code which is available commercially under UNIX.



More information about the Gnupg-devel mailing list