Signature version line not protected against alteration
randux at Safe-mail.net
randux at Safe-mail.net
Wed Mar 28 02:03:39 CEST 2007
Greetings all,
I came upon something a bit odd in gnupg 1.4.7. I found I can change the comment field in a signed message to be whatever I like. I should think this is a bad thing as an attacker could insert text in a message presumably protected against all modifications if the signature verifies properly.
I'm hoping the attachments won't be corrupted by my emailer. The first attachment is the clearsigned message. I altered the comment field manually after creating the .asc. The second attachment is the public key so you can verify that the clearsigned message is valid.
Thanks loads to everyone whos worked on gnupg. It's a brilliant app and an important one at that.
Cheers,
Rand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phil.zimmermann.asc
Type: application/pgp-signature
Size: 299 bytes
Desc: not available
Url : /pipermail/attachments/20070328/01eca3a3/attachment.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phil.pub
Type: application/octet-stream
Size: 1767 bytes
Desc: not available
Url : /pipermail/attachments/20070328/01eca3a3/attachment.obj
More information about the Gnupg-users
mailing list