splitting up an inline-signed OpenPGP message
dshaw at jabberwocky.com
Sun Sep 4 17:13:51 CEST 2016
On Sep 4, 2016, at 10:32 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> Hi GnuPG folks--
> I'd like to provide a simple utility to split an inline-signed OpenPGP
> message into a body and a signature that can then be verified
> independently with gpgv.
> I've written the following perl proof of concept but the result is a
> body and a signature that gpgv claims is BAD, even though the body
> exactly matches the exact output of "gpg --decrypt < inline-signed.txt"
> I test this with:
> gpg --no-options --batch --no-default-keyring --status-fd=2 --keyring $(pwd)/trustedkeys.gpg --output body.gpg-extracted --decrypt < inline-signed.txt
> ./split-inline-signed.pl < inline-signed.txt >body 3>body.asc
> diff body.gpg-extracted body
> gpgv --status-fd 2 --keyring $(pwd)/trustedkeys.gpg body.asc body
> and everything works as expected until gpgv fails :/
> Can anyone point out what i've done wrong?
I think you're being bitten by the final line ending of the body. Unlike the other line endings in a multi-line document, the final one is not a signed part of a clearsigned document. For example, create a clearsigned document that just contains "foo", a line break, and "bar":
echo -e "foo\nbar" | gpg --clearsign
If you run that through your perl tool, you get a body that contains "foo", a line break, "bar", and a line break. The now-detached signature will not verify. However, if you replace the body with "foo", a line break, "bar", but no final line break:
echo -en "foo\nbar" > body
Then the signature should verify.
More information about the Gnupg-devel