files with different md5, but signature checks out ok?

Andreas Hasenack andreas@conectiva.com.br
Mon Nov 19 15:10:02 2001


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

A friend of mine showed me this:

[niemeyer@ibook niemeyer]$ md5sum data1.txt data2.txt
b37073d716ab81fd9f7cc82962de8f69  data1.txt
2aad49faac42dfb1c68e81f7dd584fb6  data2.txt

[niemeyer@ibook niemeyer]$ gpg --verify data1.sig data1.txt
gpg: Signature made Mon 19 Nov 2001 11:31:02 AM BRST using DSA key ID 66643A0C
gpg: Good signature from "Gustavo Niemeyer <gustavo@niemeyer.net>"
gpg:                 aka "Gustavo Niemeyer <niemeyer@conectiva.com>"

[niemeyer@ibook niemeyer]$ gpg --verify data1.sig data2.txt
gpg: Signature made Mon 19 Nov 2001 11:31:02 AM BRST using DSA key ID 66643A0C
gpg: Good signature from "Gustavo Niemeyer <gustavo@niemeyer.net>"
gpg:                 aka "Gustavo Niemeyer <niemeyer@conectiva.com>"

The only difference between these two files is that one has lines terminating
with CR/LF, and the other uses standard unix format (only LF or CR at the
end, can't remember which one right now).

So, gpg seems to be ignoring these termination issues. How does it know
this is a text file? How can it be sure?
This raises another question for me. Some MTAs mangle the messages, converting
them to/from 8bit, for example, and other things. This can potentially corrupt
signed messages, right? Or do some MTAs check things like content-type or
other mail headers and, if they detect this is a signed message, they don't
mess with it?

Since these files are small, I'm attaching a tarball (~500bytes) with them 
to this message.


--AhhlLboLdkugWU4S
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="data.tar.gz"
Content-Transfer-Encoding: base64

H4sICJoM+TsCA2RhdGEudGFyAO3UXW+aUBjAca5P4nd4Lrc06OG9ungBisytodrqXrMLqkd6
FA4UDor79EO3ZlnabVmTtVvy/LggOc8h4SV/lpGMtHbJY+XvoRqlNqUKbTi2+cP5wLCamWM4
tk5N22nWNaO5QAGqPIKqlFEBoAjOUrZnxc/2/W7+n1IPPD8YhzAJJnA5DkJ3Nr/wj+vkDStK
nokeBKKaBLDV2rRtw7MgnHfOuKjq52SQpSkTsgejrAAuVhmUjMG1lHmv09ntdu1YVHnczoqY
ED48HXpT3zmZpm/Hyfk+TT9szuPdhbtZfHZfmev69Tans+kkPlvn+UqwuelLzzVG23hw5Wkn
jLyXl+b63YLm1ual18l1J5SOVbt90k+8YUKO9+yHw/ueREH3Wh77l7V8yv41607/pon9P4ZB
JmTTrzrb56wHktWykycRFy9gcR0VJZP9qlSjcsF5i9zuHfIyz0ouj38GLhIu2PfhrIhEuWKF
6otFtuQi7sFNlUm2VPOCCxldJc3mw6GqfZ22SHD4ANsMwm/v9zD6CLrrDsDp6qdAR94IqN7t
guV7FoBNfR103TLA07su2LZtguHSAXxqYeQP619/6v6pedu/pWnOsX8D+//H+v9V/n9SPyFf
079TPnlg95g9QgghhBBCCCGEEEIIIYQQQgg1vgBbwRTyACgAAA==

--AhhlLboLdkugWU4S--