No [GNUPG:] tag when 'not a detached signature' error
Thomas Arend
Thomas.Arend@t-online.de
Mon Jan 6 19:46:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am Montag, 6. Januar 2003 11:32 schrieb Xavier Nodet:
> Hi,
>
> I noticed, using GnuPG 1.2.1, that when there is an error because
> a signature should have been detached, there is never a corresponding
> message beginning with "[GNUPG:] ", although I use --status-fd.
>
> I got this problem when trying to verify the signature of an ill-formed
> PGP-MIME message, and parsing only the "[GNUPG:] " lines.
>
> Here are steps to reproduce this problem.
>
> C:\tmp>echo clear-text > message.txt
> C:\tmp>gpg -a --sign message.txt
> You need a passphrase to unlock the secret key
> ...
> C:\tmp>gpg --status-fd=3D2 --command-fd 0 --verify message.asc message.=
txt
> gpg: not a detached signature
> C:\tmp>
>
> I feel there should also be an output line like:
>
> [GNUPG:] ERRSIG ...
>
> Did I miss something?
Hi,
there is a difference between "--sign" and "--detach-sign". gpg assumes a=
=20
detach-sign when it gets more then one file as an argument where the firs=
t=20
file is the signature.=20
You have built an normal sign. There are two way to circumvent this probl=
em.
A. Create an detach-sign with gpg --detach-sign message.txt=20
or=20
B. gpg --verify --verify message.asc <message.txt
The case B works with normal and detached signs (surprise, surprise).
Regarding to "verify.c" gpg assumes an detached sign but later in the tex=
t it=20
says it assumes a normal sign.
Best regards
Thomas
from verify.c
/* decide whether we should handle a detached or a normal signature,
* which is needed so that the code later can hash the correct data a=
nd
* not have a normal signature act as detached signature and ignoring=
the
* indended signed material from the 2nd file or stdin.
* 1. gpg <file - normal
* 2. gpg file - normal (or detached)
* 3. gpg file <file2 - detached
* 4. gpg file file2 - detached
* The question is how decide between case 2 and 3? The only way
* we can do it is by reading one byte from stdin and the unget
* it; the problem here is that we may be reading from the
* terminal (which could be detected using isatty() but won't work
* when under contol of a pty using program (e.g. expect)) and
* might get us in trouble when stdin is used for another purpose
* (--passphrase-fd 0). So we have to break with the behaviour
* prior to gpg 1.0.4 by assuming that case 3 is a normal
* signature (where file2 is ignored and require for a detached
* signature to indicate signed material comes from stdin by using
* case 4 with a file2 of "-".
*
* Actually we don't have to change anything here but can handle
* that all quite easily in mainproc.c
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Gc+N2TqsmTFMxwkRAl+yAKCh/da//8idJKBZcCd8UB0bfzlCHgCfekb9
Uxl5hf6Pi/PgeIFJNH9XQD8=3D
=3DN/T+
-----END PGP SIGNATURE-----