GnuPG Summer riddle 2007

Bernhard Reiter bernhard at
Wed Jan 23 09:13:44 CET 2008

-------------- next part --------------
Dear GnuPG Experts,

for your pleasure I am presenting the first GnuPG Summer Riddle!


a) To not spoil the fun for others, please
   indicate "SOLUTION" in email followups, if you think you've got it.
b) The applications below use the python interpreter with #!/usr/bin/python,
   have been tested on Debian Sarge and Sid with python2.3, 2.4 and 2.5
   and do not depend on external factors like a manipulated binary or operating
   system.  They are save to run and signed with my key (as you will see). 
c) For extra difficulty: Do not look into the application files.
d) The only reward this riddle offers is confidence in your analytic skills.
e) No need to cry "Wolf!" - no signatures nor cryptographic algorithms
   have been harmed by this riddle. Werner has been notifed this summer ...


It was one of these summer nights in August 2007. The weather was hot 
and humid so I could not sleep, but I also was too tired to do real work
and thus me and my Officer of Out-Of-Planet-operations hang around on IRC.
Chatchatting and wasting time, suddenly a strange visitor dropped in.
Well, it takes a while until somebody qualifies as "strange" on IRC, 
but this person? certainly did.

*** Spoff (n=Spoff at has joined channel #gnupg
Spooff: Hi there, anybody home?
#gnupg> Yes, barely. ;)
<Spoff> Are you Earth's crypto experts?
#gnupg> Not really. 
<Spoff> I am just flying by and checked up on the "GnuPG" software. Quite
+    interesting .. but not really advanced by galatic standards.
<cooopo> Tell us how to improve it.
<Spoff> No time to teach you, it also would violate ethic standard #F451.
#gnupg> Hey, proof it!
<Spoff> If you make a signature I can easily run a different file through
+    my little application and it will have the same signature.
/me laughs out loud.
* Spoff prepares to send an example file.
*** DCC file send request [2] from Spoff[@]: manglesig (9312 bytes)
Spoff is n=Spoff at (Spaceman Spoff)
*** On channels #gnupg
*** Via server (Milan, IT)
<cooopo> Where are you from?
<Spoff> I am from planet a-s-n, way outside of your solar system.
+       Studying some of your culture has been fun, I am jumping to the next
	station soon. Bye and thanks for all the crypto!j
*** Signoff: Spoff has quit (Ping Timeout.)

Okay, I now had this binary on my harddisc. So far so good. My curiosity
was tickled. I have used a qemu based sandbox system (its clock being screwd)
and gave it a try and it worked! Wow! This was really cool!!! 
And now to the sad part of the story: To my and your dismay, I have made
a mistake - probably because I am tired, while cleaning up some of the 
experiments, I accidently deleted the binary called "manglesig". ;((
I have tried the rest of the night, but in the morning I though I might
have all dreamed it, but I could recover one of the examples which I am
attaching to this email.  Three files "", "" and a signature
of See for yourself:

export LANG=en_GB
gpg2 --version | grep ver
 License GPLv3+: GNU GPL version 3 or later <>

gpg2 --verify
 gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116
 gpg: Good signature from "Bernhard Reiter <bernhard at>"

gpg2 --verify
 gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116
 gpg: Good signature from "Bernhard Reiter <bernhard at>"

 Hi, I'm your app tonight.

 Showing resistors is futile, you will be policed!

How is this possible???
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gsr1.7z
Type: application/octet-stream
Size: 396 bytes
Desc: not available
URL: </pipermail/attachments/20080123/b0560ee8/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080123/b0560ee8/attachment.pgp>

More information about the Gnupg-devel mailing list