[Announce] GnuPG does not detect injection of unsigned data

vedaal at hush.com vedaal at hush.com
Thu Mar 9 23:55:43 CET 2006


in the announcement of the fix for this condition
on the gnupg announce list, it says the following:

=====[ begin quoted text ]=====

The only correct solution to this problem is to get rid of the 
feature
to check concatenated signatures - this allows for strict checking 
of
valid packet composition.  This is what has been done in 1.4.2.2 
and
in the forthcoming 1.4.3rc2.  These versions accept signatures only 
if
they are composed of

  O + D + S
  S + D

=====[ end quoted text ]=====

am not sure of the difference between concatenated signatures
and double-signed signatures

double signed signatures are still allowed in 1.4.2.2 and still 
verified

here is an example:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: armored double signed file, signed with two rsa keys

owEBdwOI/JANAwAIAayhY/YEre4gAJANAwAIAWoFoLeFMG0lAawnYgdkc20udHh0
RBCwGnRlc3QgZG91YmxlIHNpZ25lZCBtZXNzYWdliQEVAwUARBCwGmoFoLeFMG0l
AQh2wQgAmpw0z7++Fiebum0FR1psIfo9/231NsNfGlwPTrOwltir1XmcgeG6vuln
S4+E1PSRZAXEKzqRrGLBM2yWC0QsbeWeHrkl6v56SxP7/Gu7fHc2esHRZ0vdcR6Y
gg2RttrGwWN3Docmuufp4E6a55IVnhUDY5CJmvcPm7JYtxYJ7ufsCjGcqGhVGMdL
Nx3tvIqNyX0yHnxGZyPbvMsvCBTUEIMmDS27MRwUa6DHVrKg04AIrCOC4Fgxl7x+
K4EVhV/aUjHHE+khRENCX9aUeNDxdkYy/N2uu3U2/6cCuaxhFoWrN8PYU4y0u0GM
qqMx2vtj8neycqNdtx8P3kbqyFdSRYkCFQMFAEQQsBusoWP2BK3uIAEIeogP/0ng
isFK3mGWJhYSfAHEGAdY+DcwMQyoisCTHZjRuKXKFJ/bq/Ol/Gz4rXOFjFilYsHE
vp3tcH064PGXe7rJG4fbHWj/p8gMAIuxiaAvAVMAvgK7xbyfTi5IgLvgp7Zv9UrZ
ID+RLlOSJNZZMN5/h3P/NDcIIrbTHOiAxej5ugKkJbFzoxdlVT7LLHLBSjEcLBaz
aYjI5+wvGc1aqE3UATqT1yiJRjzVoLdaUqxvSsPCAMLcsQ6HSGvx+ODDIZoSC8d1
/x90+nXE+olo4uVcBqgIClBgletnoiIC0oKVxMAO0EcKz+VHpn+xBFJbQWFVIL+F
5Be1x1RmVHpExmMenaEMZ0I7jmmF8mbSBaGjuoaHDXG2hW05Tx/c1+bv2TyLl0kX
I8TdHL27GwwlE8kpmmo2XODFKX5vlj3wOoXN9dkEtZs+qk7h88s3qQk79+0mfX5n
eFa5/fvx7uBvRKsd3NKpnzbQvfDw3KfMlLX66cR0jp6QoSTQtrTsx5HOI8JtbFxR
TEa2BV+eu6qmLa3ooYv66BNUn/FGiOfsqqWsjAxM5JHLoioXO4XXzNJtDlk6X6Vq
HcNNKNPOrse40D4HUSN4dmwdGg+nlvCiQQde0DHbmyHpodu3J2qFh2OEWXIjs35c
i/slwpqTqhU0ECFtNDhK7iv8Lue0IqxGyCaNlRBe
=ySCn
-----END PGP MESSAGE-----

are double signed signatures not concatenated ?

Thanks,

vedaal



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485




More information about the Gnupg-users mailing list