GPG 1.4.9 false verification
Robert J. Hansen
rjh at sixdemonbag.org
Mon May 5 11:44:32 CEST 2008
Andy McKnight wrote:
> Is this behaviour by design? Are GPG users supposed to be aware that
> this line is untrusted?
The behavior is specified by RFC4880 and is not a security risk.
As an example, I have a small CSS file here that I have clearsigned.
The opening looks like:
*-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello, World!
/*************************************************************************
Enigmail New Site - Main CSS (for SCREEN display on recent browsers)
(I've added an asterisk to the beginning of the -----BEGIN block, to
prevent mail clients from misreading it as a real OpenPGP stanza.)
Now I try to verify it with:
job:~ rjh$ gpg main.css.asc
gpg: invalid armor header: Hello, World!\n
File `main.css' exists. Overwrite? (y/N) y
gpg: Signature made Mon May 5 04:38:51 2008 CDT using RSA key ID FEAF8109
gpg: Good signature from "Robert J. Hansen <rjh at sixdemonbag.org>"
gpg: aka "Robert J. Hansen"
Looking at the top of main.css, what I see is:
/*************************************************************************
Enigmail New Site - Main CSS (for SCREEN display on recent browsers)
... The injected text is stripped. It is never presented to the user as
verified text.
If a mail client presents the original message, rather than the message
as GnuPG has verified it, then that is a major HCI issue. I would
suggest filing a bug with the maintainer of your mail client.
More information about the Gnupg-users
mailing list