Signature verification fails with GPG 1.4.0
David Shaw
dshaw at jabberwocky.com
Wed Aug 17 23:56:03 CEST 2005
On Wed, Aug 17, 2005 at 11:49:43AM +0200, Olaf Gellert wrote:
> Hi all,
>
> I tried to verify the detached signature for a file
> using GPG 1.4.0 (on SuSE 9.3). GPG told me that it was
> a bad signature:
>
> > gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
>
> Output:
> gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
> gpg: BAD signature from "Prelude Hybrid IDS Archives Verification Key
> <ftpadmin at prelude-ids.org>"
>
> Well, right now I installed GPG 1.4.2 and the signature
> is validated successfully:
>
> > gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
> gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
> gpg: Good signature from "Prelude Hybrid IDS Archives Verification Key
> <ftpadmin at prelude-ids.org>"
>
> Some bug that was fixed recently? This is a little
> bit weird... The files were:
>
> http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz
> http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz.sig
>
> and they were transferred correctly (otherwise gpg 1.4.2 should
> fail to validate the signature, too). Could this be related to
> the signature being a "textmode" signature (on a binary file)?
Yes, that is what is wrong. There is a very long explanation about
text canonicalization which explains why it works in 1.4.2 but not in
1.4.0, but the bottom line is that if the file is binary, it needs a
binary sig or it just won't work reliably. (I've been trying to
persuade the spamassassin release people of this for a while now).
I can guarantee it will break between different versions of GnuPG, and
I can guarantee it will break between different versions of GnuPG and
PGP.
David
More information about the Gnupg-users
mailing list