GnuPG Summer Riddle 2007 [SOLUTION]

[Sascha Wilde]

Ingo Klöcker <kloecker at kde.org> wrote:
> On Thursday 24 January 2008, Sascha Wilde wrote:
>> Bernhard Reiter <bernhard at intevation.de> wrote:
>>
>> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING
>>
>>                                 SOLUTION
>>
>> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER WARNING

> 0x01: Signature of a canonical text document.
>          Typically, this means the signer owns it, created it, or
>          certifies that it has not been modified.  The signature is
>          calculated over the text data with its line endings converted
>          to <CR><LF> and trailing blanks removed.
>
> So it's not just line endings but also trailing blanks.

True.  So it seems that whitespace[0] programs are the ideal target for
forged signatures of this kind...

> Nice. The attached files are my crude bash-based proof of concept.

From your POC:

  appname=`basename "$0"`
  if [ "$appname" == "app4.sh" ]; then

:-)

Actually this was my very first thought when reading the riddle, too.
But Bernhard told me that it is not the solution and that he would
considers this a breach of "do not depend on external factors" (part of
rule b) ).

Maybe it should have been added to the description, that the two app
files differ (have different md5sums).

cheers
sascha

[0] http://compsoc.dur.ac.uk/whitespace/index.php
-- 
Sascha Wilde

If you think technology can solve your problems you don't understand
technology and you don't understand your problems.  (Bruce Schneier)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: </pipermail/attachments/20080125/af3c390d/attachment.pgp>