Possible GPG signature-check bug

David Shaw dshaw at jabberwocky.com
Thu Apr 18 19:40:01 CEST 2002

On Thu, Apr 18, 2002 at 09:51:47AM -0500, Larry Ellis wrote:
> The problem is the bad signature.  Perhaps I am doing something wrong, but
> this sequence reports two good signatures when run on PGP 2.6.2 and
> PGP6.5.8.
> For example, try the following sequence on PGP 2.6.2:
> 1.    pgp stampkey.asc  (You'll get a bunch of warnings here)
> 2.    pgp lcekey.asc
> 3.    pgp stamper.asc basemsg.txt
> ...and you should get two valid signatures.  This also happens if you use
> PGP 6.5.8 command-line

Wow, that's an interesting problem.  Here's what is happening:
stamper.asc contains two signatures, one from the stamper service
(call it "A"), and one from you ("B").  Signature B is on basemsg.txt.
Signature A is on signature B.  That is to say, the stamper service
did not sign basemsg.txt - it signed your signature (I assume this is
what you meant to do).

The reason you are having a problem is that PGP and GnuPG treat a file
like this differently.  PGP runs through the file and applies the
signature to whatever comes afterwards (in this case, signature B).
GnuPG treats it as two detached signatures.


   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list