Possible GPG signature-check bug
David Shaw
dshaw at jabberwocky.com
Thu Apr 18 19:40:01 CEST 2002
On Thu, Apr 18, 2002 at 09:51:47AM -0500, Larry Ellis wrote:
> The problem is the bad signature. Perhaps I am doing something wrong, but
> this sequence reports two good signatures when run on PGP 2.6.2 and
> PGP6.5.8.
>
> For example, try the following sequence on PGP 2.6.2:
>
> 1. pgp stampkey.asc (You'll get a bunch of warnings here)
> 2. pgp lcekey.asc
> 3. pgp stamper.asc basemsg.txt
>
> ...and you should get two valid signatures. This also happens if you use
> PGP 6.5.8 command-line
Wow, that's an interesting problem. Here's what is happening:
stamper.asc contains two signatures, one from the stamper service
(call it "A"), and one from you ("B"). Signature B is on basemsg.txt.
Signature A is on signature B. That is to say, the stamper service
did not sign basemsg.txt - it signed your signature (I assume this is
what you meant to do).
The reason you are having a problem is that PGP and GnuPG treat a file
like this differently. PGP runs through the file and applies the
signature to whatever comes afterwards (in this case, signature B).
GnuPG treats it as two detached signatures.
David
--
David Shaw | dshaw at jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
More information about the Gnupg-devel
mailing list