Serious problem with detached sigs
rpuls at gmx.net
Wed Nov 29 19:55:33 CET 2000
I think I found a serious problem with signature verification
under GnuPG. This may cause detached signatures to be reported as
"valid" while in fact they are not.
The problem is actually quite simple. When you type something
like "gnupg --verify detached_sig signed_file", you would expect GnuPG
to verify the detached signature against the signed file. If you now
replace the "detached_sig" file with a full, clear-signed message
(which is not related to the "signed_file" in any way), GnuPG still
reports a good signature - which is quite misleading.
This means that someone could, for example, modify the
gnupg-1.0.4.tar.gz file on the FTP server, replace the .sig file with
any message that is signed by Werner (no offense :) and nobody would
notice, because the --verify command will correctly verify the
detached signature (but as a full signed message, not as a detached
A fix for this should be quite simple, by making sure that the
detached_sig file given to the --verify command is *indeed* a detached
signature, at least if two files are given as arguments.
Rene Puls <rpuls at gmx.net> GnuPG key 0x8652FFE2
More information about the Gnupg-devel