multiple file signing oddness
David Shaw
dshaw at jabberwocky.com
Sun May 23 06:34:20 CEST 2004
On Sat, May 22, 2004 at 07:01:23PM +0100, Nicholas Cole wrote:
>
> On version 1.2.4 and 1.3.5:
>
> gpg -o sig-file --detach-sign file1 file2
>
> gives a signature which is BAD if you do
>
> gpg --verify sig-file file1 file2
>
> but GOOD if you do
>
> gpg --verify sig-file file2 file1
>
> (ie. if the files are specified in the reverse order
> from the one in which the signature was originally
> made).
Very interesting. That's not ideal since the syntax that is used to
generate the sigfile should be usable to verify the sigfile.
Changing it in 1.2.x is not a good idea as it may break some
assumptions and/or scripts, but I'll fix it for 1.3.x.
David
Index: verify.c
===================================================================
RCS file: /cvs/gnupg/gnupg/g10/verify.c,v
retrieving revision 1.11
diff -u -r1.11 verify.c
--- verify.c 15 Apr 2003 15:46:13 -0000 1.11
+++ verify.c 23 May 2004 04:27:27 -0000
@@ -101,7 +101,7 @@
iobuf_push_filter( fp, armor_filter, &afx );
sl = NULL;
- for(i=1 ; i < nfiles; i++ )
+ for(i=nfiles-1 ; i > 0 ; i-- )
add_to_strlist( &sl, files[i] );
rc = proc_signature_packets( NULL, fp, sl, sigfile );
free_strlist(sl);
More information about the Gnupg-devel
mailing list