Signature version line not protected against alteration
David Shaw
dshaw at jabberwocky.com
Wed Mar 28 05:25:58 CEST 2007
On Wed, Mar 28, 2007 at 03:03:39AM +0300, randux at Safe-mail.net wrote:
> Greetings all,
>
> I came upon something a bit odd in gnupg 1.4.7. I found I can change
> the comment field in a signed message to be whatever I like. I
> should think this is a bad thing as an attacker could insert text in
> a message presumably protected against all modifications if the
> signature verifies properly.
The "comment" and "version" armor fields are both essentially
comments, and are ignored by the OpenPGP protocol. You can change
either of them to whatever you like.
David
More information about the Gnupg-users
mailing list