Signature version line not protected against alteration

David Shaw dshaw at
Wed Mar 28 05:25:58 CEST 2007

On Wed, Mar 28, 2007 at 03:03:39AM +0300, randux at wrote:
> Greetings all,

> I came upon something a bit odd in gnupg 1.4.7. I found I can change
> the comment field in a signed message to be whatever I like. I
> should think this is a bad thing as an attacker could insert text in
> a message presumably protected against all modifications if the
> signature verifies properly.

The "comment" and "version" armor fields are both essentially
comments, and are ignored by the OpenPGP protocol.  You can change
either of them to whatever you like.


More information about the Gnupg-users mailing list