gpg --verify hangs on malformed signature

Steffen Ullrich ccrlphr at xensei.com
Wed Jul 22 13:39:15 CEST 1998


On Wed, Jul 22, 1998 at 09:07:09AM +0200, Werner Koch wrote:
> at the end of parse is only done if the parsingfunction returns with
> -1; which it does not.  We should change the line after the leave
> label in parse() to:

>	if( !rc && iobuf_error(inp) )
>		rc = ...

this helps, thanks.

> I think I should add some test cases for invalid data.

> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the owner.
> >
> > when I vaildate the valid signature of a mail. I imported the foreign key, signed it and now I would think
> > if I signed the key it should be trusted - or whom should I trust if not me?

> Can you check this again with option "--debug 256"?  Anyway I'm
> currently rewriting all this stuff.

the debug info:
gpg: note: no default option file '/homes/steffen/.gnupg/options'
gpg: Warning: using insecure memory!
gpg: DBG: key 2FED2B5C: checking secret key
gpg: DBG: key 2FED2B5C.1: stored into ultikey_table
gpg: DBG: key 69ABA264: checking secret key
gpg: DBG: key 69ABA264.3: stored into ultikey_table
gpg: Signature made Fri May 22 10:55:44 1998 using DSA key ID F03ECD75
gpg: Good signature from "Another Person <person at somewhere>"
gpg: check_trust() called.
gpg: DBG: check_trust() returns trustlevel 0002.
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/16384

and if it helps the output from gpg --list-sigs:
pub  1024D/2FED2B5C 1998-07-21 Steffen Ullrich (Console) <ccrlphr at xensei.com>
sig        2FED2B5C 1998-07-21   [selfsig]
sub  1024G/69ABA264 1998-07-21
sig        2FED2B5C 1998-07-21   [keybind]
pub  1024D/F03ECD75 1997-09-26 Another Person <person at somewhere>
sig        F03ECD75 1997-09-26   [selfsig]
sub  2048G/F4D33253 1997-09-26
sig        F03ECD75 1997-09-26   [keybind]
sig        2FED2B5C 1998-07-21   Steffen Ullrich (Console) <ccrlphr at xensei.com>



> > BTW, did you know that the german division of Network Associates (which know owns PGP) charges 3049,-
> > DM for a 10 user License? They still give you only the NT and Mac version, but starting with 10
> > users you are allowed to use the code which is available commercially under UNIX.

> Really? www.pgpi.com?

Yes and No. Looks like pgpi.com only cares for the non-commercial stuff. But they link to
pgpinternational.com which has information where to get commercial version. For Germany I found:
  Network Associates GmbH, Deutschland, Tel.: +49-(0) 89-89 435 60 
where I received the information




> Werner








More information about the Gnupg-devel mailing list