--check-sig doesn't verify the signatures

Rafaël Carré funman at videolan.org
Wed Nov 28 01:01:54 CET 2007 

Hello,

I noticed that when I modify signatures on my key (example: I change
the 8 bytes long id in the unhashed subpacket of a signature to make gpg
think it was issued by someone else), gpg won't warn me it is invalid.

~ # gpg --check-sigs DE230742
pub   1024D/DE230742 2007-11-27
uid                  rafael <prout at prout>
sig!3        DE230742 2007-11-27  rafael <prout at prout>
sig!         C0AFF10F 2007-11-27  Rafaël Carré <funman at videolan.org>
sub   2048g/BC44AD60 2007-11-27
sig!         DE230742 2007-11-27  rafael <prout at prout>

I really signed that key with my key (ID C0AFF10F)

Now I change the long ID (6160 9E18 C0AF F10F) to another one (FD21
BC3B AC3E 0879)

~ # gpg --check-sigs DE230742
pub   1024D/DE230742 2007-11-27
uid                  rafael <prout at prout>
sig!3        DE230742 2007-11-27  rafael <prout at prout>
sig!         AC3E0879 2007-11-27  Christophe Mutricy (Xtophe)
<xtophe at nxtelevision.com> sub   2048g/BC44AD60 2007-11-27
sig!         DE230742 2007-11-27  rafael <prout at prout>


gpg now makes me think it has been signed by someone else, and that
the signature is valid, but it is not the case.

No more luck with gpg --edit-key

Commande> check
uid  rafael <prout at prout>
sig!3        DE230742 2007-11-27  [auto-signature]
sig!         AC3E0879 2007-11-27  Christophe Mutricy (Xtophe)
<xtophe at nxtelevisi


Exporting the key and importing it somewhere else will show that the
signature is invalid.

sig-         AC3E0879 2007-11-27  Christophe Mutricy (Xtophe)
<xtophe at nxtelevision.com>


You would say if my pubring has been modified, then it's too late, so I
think that isn't a real problem.

However I guess --check-sig should be explicit that it doesn't verify
the key signatures (but use a cached value?).

I discussed about that on IRC with Peter Palfrader and he thought that
would be worth an e-mail

Thanks ;)

-- 
Rafaël Carré
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20071128/142a5edb/attachment-0001.pgp

More information about the Gnupg-devel mailing list