Possible GPG signature-check bug

Thu Apr 18 18:03:02 CEST 2002

The attached zip file contains four files:

Archive:  testfile.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
      894  04-18-02 08:12   stamper.asc
       28  04-18-02 07:49   basemsg.txt
      953  04-18-02 09:13   lcekey.asc
     5687  04-18-02 09:12   stampkey.asc
 --------                   -------
     7562                   4 files

They are intended to demonstrate an possible bug in GPG.

To demonstrate, unzip the testfile archive.

Then, try the following sequence:

1.    gpg --import --allow-non-selfsigned-uid stampkey.asc
2.    gpg --import --allow-non-selfsigned-uid lcekey.asc
3.    gpg stamper.asc

when prompted for data file, enter:

 basemsg.txt

You should see the following sequence of messages:

**************
Detached signature.
Please enter name of data file: basemsg.txt
gpg: Signature made 04/18/02 07:57:45 CDT using RSA key ID 70B61F81
gpg: BAD signature from "[?]"
gpg: Signature made 04/18/02 07:53:35 CDT using RSA key ID 79C023E5
gpg: Good signature from "Larry Ellis <Larry_C_Ellis at hotmail.com>"
**************

The problem is the bad signature.  Perhaps I am doing something wrong, but
this sequence reports two good signatures when run on PGP 2.6.2 and
PGP6.5.8.

For example, try the following sequence on PGP 2.6.2:

1.    pgp stampkey.asc  (You'll get a bunch of warnings here)
2.    pgp lcekey.asc
3.    pgp stamper.asc basemsg.txt

...and you should get two valid signatures.  This also happens if you use
PGP 6.5.8 command-line

Perhaps this should be reported as a bug, but I'd like to make sure there's
nothing I'm missing first.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: testfile.zip
Type: application/x-zip-compressed
Size: 2593 bytes
Desc: not available
Url : /pipermail/attachments/20020418/d1ce0471/testfile.bin