GnuPG Summer riddle 2007

Wed Jan 23 09:13:44 CET 2008

-------------- next part --------------
Dear GnuPG Experts,

for your pleasure I am presenting the first GnuPG Summer Riddle!
20080123ber

Rules: 

a) To not spoil the fun for others, please
   indicate "SOLUTION" in email followups, if you think you've got it.
b) The applications below use the python interpreter with #!/usr/bin/python,
   have been tested on Debian Sarge and Sid with python2.3, 2.4 and 2.5
   and do not depend on external factors like a manipulated binary or operating
   system.  They are save to run and signed with my key (as you will see). 
c) For extra difficulty: Do not look into the application files.
d) The only reward this riddle offers is confidence in your analytic skills.
e) No need to cry "Wolf!" - no signatures nor cryptographic algorithms
   have been harmed by this riddle. Werner has been notifed this summer ...

Story:

It was one of these summer nights in August 2007. The weather was hot 
and humid so I could not sleep, but I also was too tired to do real work
and thus me and my Officer of Out-Of-Planet-operations hang around on IRC.
Chatchatting and wasting time, suddenly a strange visitor dropped in.
Well, it takes a while until somebody qualifies as "strange" on IRC, 
but this person? certainly did.

*** Spoff (n=Spoff at 212.22.103.87) has joined channel #gnupg
Spooff: Hi there, anybody home?
#gnupg> Yes, barely. ;)
<Spoff> Are you Earth's crypto experts?
#gnupg> Not really. 
<Spoff> I am just flying by and checked up on the "GnuPG" software. Quite
+    interesting .. but not really advanced by galatic standards.
<cooopo> Tell us how to improve it.
<Spoff> No time to teach you, it also would violate ethic standard #F451.
#gnupg> Hey, proof it!
<Spoff> If you make a signature I can easily run a different file through
+    my little application and it will have the same signature.
/me laughs out loud.
* Spoff prepares to send an example file.
*** DCC file send request [2] from Spoff[@212.22.103.87]: manglesig (9312 bytes)
Spoff is n=Spoff at 212.22.103.87 (Spaceman Spoff)
*** On channels #gnupg
*** Via server calvino.freenode.net (Milan, IT)
<cooopo> Where are you from?
<Spoff> I am from planet a-s-n, way outside of your solar system.
+       Studying some of your culture has been fun, I am jumping to the next
	station soon. Bye and thanks for all the crypto!j
*** Signoff: Spoff has quit (Ping Timeout.)

Okay, I now had this binary on my harddisc. So far so good. My curiosity
was tickled. I have used a qemu based sandbox system (its clock being screwd)
and gave it a try and it worked! Wow! This was really cool!!! 
And now to the sad part of the story: To my and your dismay, I have made
a mistake - probably because I am tired, while cleaning up some of the 
experiments, I accidently deleted the binary called "manglesig". ;((
I have tried the rest of the night, but in the morning I though I might
have all dreamed it, but I could recover one of the examples which I am
attaching to this email.  Three files "app4.py", "app5.py" and a signature
of app4.py. See for yourself:

export LANG=en_GB
gpg2 --version | grep ver
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

gpg2 --verify app4.py.sig app4.py
 gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116
 gpg: Good signature from "Bernhard Reiter <bernhard at intevation.de>"

gpg2 --verify app4.py.sig app5.py
 gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116
 gpg: Good signature from "Bernhard Reiter <bernhard at intevation.de>"

./app4.py
 Hi, I'm your app tonight.

./app5.py
 Showing resistors is futile, you will be policed!

How is this possible???
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gsr1.7z
Type: application/octet-stream
Size: 396 bytes
Desc: not available
URL: </pipermail/attachments/20080123/b0560ee8/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080123/b0560ee8/attachment.pgp>