GPG 1.4.9 false verification

Andy McKnight andy.mcknight at gmail.com
Mon May 5 12:03:53 CEST 2008


>
> The behavior is specified by RFC4880 and is not a security risk.
>
>
Hi,

I was testing this with the --verify switch only so I didn't see the final
output with the stripped headers.  Thanks for clearing this up.

Your point regarding my mail client was interesting though.  I use the web
interface of Gmail with the firegpg plugin.  I thought I'd look at this in a
bit more detail.  Sending the below message to me verifies as good through
firegpg.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is some tested verification text.


- --
key id: 0x6A8BAF97
fingerprint: 0AF9 F0A4 52D2 9775 F996 2027 41AD C31B 6A8B AF97

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: http://getfiregpg.org

iEYEARECAAYFAkge2nUACgkQQa3DG2qLr5f0XwCfaZFqPy/Mx5IcydFkHX2Ytr0k
MCMAoIGuwXlUuQo8ZQfBGA/pyXmCPphy
=/gr1
-----END PGP SIGNATURE-----

I then used the same message but modified the last header line after signing
but before sending.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, this is my modified line.

This is some tested verification text.


- --
key id: 0x6A8BAF97
fingerprint: 0AF9 F0A4 52D2 9775 F996 2027 41AD C31B 6A8B AF97

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: http://getfiregpg.org

iEYEARECAAYFAkge2nUACgkQQa3DG2qLr5f0XwCfaZFqPy/Mx5IcydFkHX2Ytr0k
MCMAoIGuwXlUuQo8ZQfBGA/pyXmCPphy
=/gr1
-----END PGP SIGNATURE-----

This also verifies good through firegpg with no message regarding an
incorrect header.  I'd guess as nothing is stripped and no header warning is
given this may be more of an issue?

Andy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20080505/121802df/attachment.htm>


More information about the Gnupg-users mailing list