dealing with misplaced signatures
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jul 31 17:13:21 CEST 2012
On 07/31/2012 01:39 AM, Georgi Guninski wrote:
> Was the sig of the subkey made with vanilla gpg or was it manipulated?
examining the sig, it happens to be byte-for-byte identical with a sig
on one of the User IDs.
As a result of gpg's (faulty) moving of the sig to the last user ID, we
see the same sig show up after several of the User IDs as well.
observe all the places where this particular sig shows up:
$ gpg --export 0xED34CEABE27BAABC | gpgsplit
$ md5sum * | egrep '(^848762|(attribute|id|key)$)'
95687f448844ff7144ae806a3d44059e 000001-006.public_key
f92637abe07b5fe3fcc48c384703c932 000002-013.user_id
925db22aabd790504bb80b8d0e1a6202 000019-013.user_id
8487624d4fd7292872c7de2c83ec895d 000041-002.sig
580775fce5bd929da507fc031969b891 000044-013.user_id
8487624d4fd7292872c7de2c83ec895d 000046-002.sig
12086b15b600f899937a91ec7fac99a7 000048-013.user_id
565800d7a2d5c675622a03829c9d8ef5 000090-013.user_id
ab2cf4addd27785fdbef507767d769a8 000134-013.user_id
0537fb472a556e7f441909014a5cb133 000156-013.user_id
cc5f36051c98ac72364e950ab0f18bf5 000191-013.user_id
8487624d4fd7292872c7de2c83ec895d 000194-002.sig
714723044960babc2a8ccaff426099f3 000196-013.user_id
b5e8df1259ef36974559aa865719ee63 000243-013.user_id
8487624d4fd7292872c7de2c83ec895d 000284-002.sig
0a15d0f11daff87b908ecc0e8aebbc0d 000289-013.user_id
e1aa33ca83b5d2f629ddb216c50c88c0 000340-013.user_id
8487624d4fd7292872c7de2c83ec895d 000385-002.sig
af4faed7d2101b27fdd0fb4ca819f420 000389-017.attribute
8487624d4fd7292872c7de2c83ec895d 000426-002.sig
7b65f1bbcf1c826bafec1b829d6b9530 000430-014.public_subkey
9c2e77755a1e3cce68d1f0d302f361fd 000432-014.public_subkey
8487624d4fd7292872c7de2c83ec895d 000435-002.sig
$
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120731/2f4719ef/attachment.pgp>
More information about the Gnupg-devel
mailing list