GPG 1.4.9 false verification

Andy McKnight andy.mcknight at gmail.com
Mon May 5 10:15:51 CEST 2008


Hi Guys,

I'm new to GPG so I'm not sure if this is a problem or if it's by design but
it's possible to modify a clearsigned message/document and still have it
verify.  When I sign a document GPG adds the two header lines "-----BEGIN
PGP SIGNED MESSAGE-----" and "Hash: SHA1" followed by a blank line.  I can
add any text I wish into the blank line without affecting the verification
of the signature.  Changing anything else breaks verification.

Is this behaviour by design?  Are GPG users supposed to be aware that this
line is untrusted?

Andy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080505/13c08834/attachment.htm>


More information about the Gnupg-users mailing list