BUGREPORT: gnupg and signing ...

Henrik Andreasson han@tajt.se
Sun, 11 Jul 1999 12:10:38 +0200 (CEST)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I've found a bug/malfunctionality in gpg.
if you specify the same output file as the inputfile you never get the
contents of the infile within the sigature.

Security:
This could be a potential point of insecurity if IF it's like this (I'm
just speculating here) You read the in file, make the crypto stuff, write
the outputfile, in this stages: write the PGP begin mess ,READ THE
INPUTFILE,
write out the input to the output, and then the signature.

then an attacker has the time between the two reads to change the
inputfile , but the signature verify wil fail so ...

Functionallity:
anyway if it's an unsupported way of signing (with the same input and
output) gpg chould say that, when you try it.

Evidence: (:-)

### gpg sign with different in and output files: ###

[han@platan han]$ gpg --no-batch --comment "Made with PGP4Pine"
- --no-greeting --clearsign -a  -o /tmp/sf031181_o /tmp/sf031181

You need a passphrase to unlock the secret key for
user: "Henrik Andreasson (TAJT Security AB) <han@tajt.se>"
1024-bit DSA key, ID A497F989, created 1999-07-09

File `/tmp/sf031181_o' exists. Overwrite (y/N)? y
[han@platan han]$ more /tmp/sf031181_o
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     be somewhat more quiet
     --no-tty                     don't use the terminal at all
     --force-v3-sigs              force v3 signatures
     --force-mdc                  always use a MDC for encryption
 -n, --dry-run                    do not make any changes
     --batch                      batch mode: never ask
     --yes                        assume yes on most questions
     --no                         assume no on most questions
     --keyring                    add this keyring to the list of keyrings
     --secret-keyring             add this secret keyring to the list
     --default-key NA
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.8 (GNU/Linux)
Comment: Made with PGP4Pine

iD8DBQE3iGIJAIHwyaSX+YkRAt7BAJ9o6bxmBXKBwn3ML4y/dXXaM6OAKQCdEXcb
JFhUATFudtcwZIgBNDWVJOc=
=+3WZ
- -----END PGP SIGNATURE-----


#### gpg sign with the same in and output files: ###

[han@platan han]$ gpg --no-batch --comment "Made with PGP4Pine"
- --no-greeting --clearsign -a  -o /tmp/sf031181 /tmp/sf031181

You need a passphrase to unlock the secret key for
user: "Henrik Andreasson (TAJT Security AB) <han@tajt.se>"
1024-bit DSA key, ID A497F989, created 1999-07-09

File `/tmp/sf031181' exists. Overwrite (y/N)? y
[han@platan han]$ more /tmp/sf031181
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.8 (GNU/Linux)
Comment: Made with PGP4Pine

iD8DBQE3iGJIAIHwyaSX+YkRAgR3AJ9IFz/EyJc9+jWllypbxuEkTIjE3ACfZMny
KqwiRzHXJmiL/LQdjVp9Uh8=   
=VQbY
- -----END PGP SIGNATURE-----




//Henrik Andreasson
han@tajt.se
+46-(0)8-564 100 67

TAJT Security AB
www.tajt.se
+46-(0)8-564 100 60
+46-(0)8-564 100 61 (fax)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBN4htrOxeMHm2nDpZEQIA2QCbB2lear2h3yFdcxQHfZnEDMqh9lgAnjxf
kSo+Gd75TqfSckhlbxpD+I8u
=kGyn
-----END PGP SIGNATURE-----