Possible GPG signature-check bug

Larry Ellis Larry_C_Ellis at hotmail.com
Thu Apr 18 20:18:02 CEST 2002


Thanks for this...

Let me see if I understand you correctly.

It seems you're suggesting that both of these signatures are being applied
by GPG to the text file, as opposed to one being applied to the text file
and one applying to the other signature.  Is that correct?

If that is the case, is this as it should be?  If so, does that mean GPG
does not handle any sort of compound signatures?   Seems like a desirable
feature.

So...finally, the question remains... is this a bug?



Larry




----- Original Message -----
From: "David Shaw" <dshaw at jabberwocky.com>
To: <gnupg-devel at gnupg.org>
Sent: Thursday, April 18, 2002 11:40 AM
Subject: Re: Possible GPG signature-check bug


> On Thu, Apr 18, 2002 at 09:51:47AM -0500, Larry Ellis wrote:
> > The problem is the bad signature.  Perhaps I am doing something wrong,
but
> > this sequence reports two good signatures when run on PGP 2.6.2 and
> > PGP6.5.8.
> >
> > For example, try the following sequence on PGP 2.6.2:
> >
> > 1.    pgp stampkey.asc  (You'll get a bunch of warnings here)
> > 2.    pgp lcekey.asc
> > 3.    pgp stamper.asc basemsg.txt
> >
> > ...and you should get two valid signatures.  This also happens if you
use
> > PGP 6.5.8 command-line
>
> Wow, that's an interesting problem.  Here's what is happening:
> stamper.asc contains two signatures, one from the stamper service
> (call it "A"), and one from you ("B").  Signature B is on basemsg.txt.
> Signature A is on signature B.  That is to say, the stamper service
> did not sign basemsg.txt - it signed your signature (I assume this is
> what you meant to do).
>
> The reason you are having a problem is that PGP and GnuPG treat a file
> like this differently.  PGP runs through the file and applies the
> signature to whatever comes afterwards (in this case, signature B).
> GnuPG treats it as two detached signatures.
>
> David
>
> --
>    David Shaw  |  dshaw at jabberwocky.com  |  WWW
http://www.jabberwocky.com/
>
+---------------------------------------------------------------------------
+
>    "There are two major products that come out of Berkeley: LSD and UNIX.
>       We don't believe this to be a coincidence." - Jeremy S. Anderson
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>




More information about the Gnupg-devel mailing list