gpg --decrypt strips space (but not CR) from clearsigned text

Brian Candler B.Candler at pobox.com
Thu Jul 10 13:06:08 CEST 2008


(gpg version 1.4.6, Ubuntu 8.06)

When I generate a clearsigned document, the signature is insensitive to
adding extra spaces, tabs or CR (0x0D) to the end of each line. This is all
fine and in accordance with RFC 2440.

The clearsigned document retains the extra spaces, tabs and CRs exactly as
they were in the source document.

However, if I pass this clearsigned document to "gpg --decrypt" and redirect
stdout to a file, I find that the extra spaces and tabs are stripped,
although a trailing CR is retained.

To demonstrate:

perl -e 'print "Line one\nLine two \nLine three\t\nLine four \t\r\n"' >testfile
gpg --clearsign testfile
gpg --decrypt testfile.asc >testfile2

$ hexdump -C testfile
00000000  4c 69 6e 65 20 6f 6e 65  0a 4c 69 6e 65 20 74 77  |Line one.Line tw|
00000010  6f 20 0a 4c 69 6e 65 20  74 68 72 65 65 09 0a 4c  |o .Line three..L|
00000020  69 6e 65 20 66 6f 75 72  20 09 0d 0a              |ine four ...|
0000002c
$ cat testfile.asc | grep ^Line | hexdump -C
00000000  4c 69 6e 65 20 6f 6e 65  0a 4c 69 6e 65 20 74 77  |Line one.Line tw|
00000010  6f 20 0a 4c 69 6e 65 20  74 68 72 65 65 09 0a 4c  |o .Line three..L|
00000020  69 6e 65 20 66 6f 75 72  20 09 0d 0a              |ine four ...|
0000002c
$ hexdump -C testfile2
00000000  4c 69 6e 65 20 6f 6e 65  0a 4c 69 6e 65 20 74 77  |Line one.Line tw|
00000010  6f 0a 4c 69 6e 65 20 74  68 72 65 65 0a 4c 69 6e  |o.Line three.Lin|
00000020  65 20 66 6f 75 72 0d 0a                           |e four..|

I was hoping to use "gpg --decrypt" as a way to simultaneously verify the
signature and to strip off the wrapping and dash-escaping. However I want to
retain trailing spaces as they were in the source, and unfortunately that's
not happening.

Now, as far as I can see this is intentional, in g10/armor.c:
/* Now handle the end-of-line canonicalization */

although I don't see a test for this behaviour in checks/clearsig.test or
checks/armor.test

What strikes me as odd is that gpg retains a CR at the end of the line, but
not tabs or spaces. Futhermore, it happens for --decrypt but not for
--clearsign. Both these strike me as inconsistent.

Apart from disabling dash-escaping entirely(*), or moving to detached
signatures, can anyone suggest another way to verify and unwrap the source
document whilst keeping it intact?

Thanks,

Brian Candler.

(*) Because this breaks if the source document contains "-----BEGIN PGP
SIGNATURE-----". gpg will happily sign it without raising an error, but the
signed document is broken.



More information about the Gnupg-devel mailing list