Possible GPG signature-check bug

Larry Ellis Larry_C_Ellis at hotmail.com
Thu Apr 18 21:48:02 CEST 2002

Well, as you assumed from the files I sent, the chunk of data that contained
the multiple signatures was from a timestamping service.  You also were
correct, in that this block of data was created by sending a signature to
the timestamping service, which in turn signed the signature and returned
the resulting block to me.

I'm not sure exactly what mechanism the service used to create this double

In any case, the questions are:

1.  Is there anything inherently wrong with the double signature block (for
example, does it violate some packet structure convention).

2. If the answer to 1 is no, whose handling of this is correct?  PGP's or

It seems clear that the timestamped block is handled the way it was intended
to be handled by everything but GPG.  So, I am wondering whether this
qualifies as a bug.  It seems that (unless there is some good reason not to)
GPG ought to be handling the double signature in the same manner as the
other versions.

Perhaps compound signature is not the best term, but I was only trying to
describe the packet structure that's failing here.


----- Original Message -----
From: "David Shaw" <dshaw at jabberwocky.com>
To: <gnupg-devel at gnupg.org>
Sent: Thursday, April 18, 2002 12:26 PM
Subject: Re: Possible GPG signature-check bug

> On Thu, Apr 18, 2002 at 12:18:28PM -0500, Larry Ellis wrote:
> > Thanks for this...
> >
> > Let me see if I understand you correctly.
> >
> > It seems you're suggesting that both of these signatures are being
> > by GPG to the text file, as opposed to one being applied to the text
> > and one applying to the other signature.  Is that correct?
> Correct.
> > If that is the case, is this as it should be?  If so, does that mean GPG
> > does not handle any sort of compound signatures?   Seems like a
> > feature.
> I'm not sure what you mean here by "compound signatures"?  Do you mean
> signatures on a signature, or multiple signatures on a given document?
> Which were you trying to do?
> David
> --
>    David Shaw  |  dshaw at jabberwocky.com  |  WWW
>    "There are two major products that come out of Berkeley: LSD and UNIX.
>       We don't believe this to be a coincidence." - Jeremy S. Anderson
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list