splitting up an inline-signed OpenPGP message

David Shaw dshaw at jabberwocky.com
Sun Sep 4 17:13:51 CEST 2016

On Sep 4, 2016, at 10:32 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> Hi GnuPG folks--
> I'd like to provide a simple utility to split an inline-signed OpenPGP
> message into a body and a signature that can then be verified
> independently with gpgv.
> I've written the following perl proof of concept but the result is a
> body and a signature that gpgv claims is BAD, even though the body
> exactly matches the exact output of "gpg --decrypt < inline-signed.txt"
> I test this with:
> 	gpg --no-options --batch --no-default-keyring --status-fd=2 --keyring $(pwd)/trustedkeys.gpg --output body.gpg-extracted --decrypt < inline-signed.txt
> 	./split-inline-signed.pl < inline-signed.txt >body 3>body.asc
> 	diff body.gpg-extracted body
> 	gpgv --status-fd 2 --keyring $(pwd)/trustedkeys.gpg body.asc body
> and everything works as expected until gpgv fails :/
> Can anyone point out what i've done wrong?

I think you're being bitten by the final line ending of the body.  Unlike the other line endings in a multi-line document, the final one is not a signed part of a clearsigned document.  For example, create a clearsigned document that just contains "foo", a line break, and "bar":

  echo -e "foo\nbar" | gpg --clearsign

If you run that through your perl tool, you get a body that contains "foo", a line break, "bar", and a line break.  The now-detached signature will not verify.  However, if you replace the body with "foo", a line break, "bar", but no final line break:

  echo -en "foo\nbar" > body

Then the signature should verify.


More information about the Gnupg-devel mailing list