GPG 1.4.9 false verification

Robert J. Hansen rjh at sixdemonbag.org
Mon May 5 11:44:32 CEST 2008


Andy McKnight wrote:
> Is this behaviour by design?  Are GPG users supposed to be aware that
> this line is untrusted?

The behavior is specified by RFC4880 and is not a security risk.

As an example, I have a small CSS file here that I have clearsigned.
The opening looks like:

*-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello, World!
/*************************************************************************
  Enigmail New Site - Main CSS (for SCREEN display on recent browsers)



(I've added an asterisk to the beginning of the -----BEGIN block, to
prevent mail clients from misreading it as a real OpenPGP stanza.)



Now I try to verify it with:

job:~ rjh$ gpg main.css.asc
gpg: invalid armor header: Hello, World!\n
File `main.css' exists. Overwrite? (y/N) y
gpg: Signature made Mon May  5 04:38:51 2008 CDT using RSA key ID FEAF8109
gpg: Good signature from "Robert J. Hansen <rjh at sixdemonbag.org>"
gpg:                 aka "Robert J. Hansen"


Looking at the top of main.css, what I see is:


/*************************************************************************
  Enigmail New Site - Main CSS (for SCREEN display on recent browsers)



... The injected text is stripped.  It is never presented to the user as
verified text.

If a mail client presents the original message, rather than the message
as GnuPG has verified it, then that is a major HCI issue.  I would
suggest filing a bug with the maintainer of your mail client.




More information about the Gnupg-users mailing list