files with different md5, but signature checks out ok?

Werner Koch
Fri Dec 21 18:58:01 2001

On Mon, 19 Nov 2001 12:08:06 -0200, Andreas Hasenack said:

> So, gpg seems to be ignoring these termination issues. How does it know
> this is a text file? How can it be sure?

This is per OpenPGP.  If you create a message in --textmode (OpenPGP
signature class 0x01) lineendings are transformed to CR,LF before
calcualting the signature.

The only way to tell this is by looking at the signature packet using 
gpg --list-packets   and waching out for sigclass:

:signature packet: algo 17, keyid 2253B29A66643A0C
	version 3, created 1006176662, md5len 5, sigclass 01
	digest algo 2, begin of digest 47 33
	data: [158 bits]
	data: [155 bits]

> This raises another question for me. Some MTAs mangle the messages, converting
> them to/from 8bit, for example, and other things. This can potentially corrupt
> signed messages, right? Or do some MTAs check things like content-type or

Yes. This is the reason for --textmode but it has a couple of other
problems.  So the suggested solution is to use PGP/MIME (rfc3156)
which has all the required provisions.

IMHO, all this content modification stuff does not belong into the
OpenPGP layer.  However it is there fore historical reasons.


Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus