Difference between clearsign and detached signatures?

TJ gnupg at iam.tj
Sat Aug 30 01:20:35 CEST 2014


On 29/08/14 19:03, Ingo Klöcker wrote:
> On Thursday 28 August 2014 22:53:52 TJ wrote:
>> I've recently been digging deep into the source-code trying to
>> understand what the differences are between --clearsign and
>> --detach-sign signatures.
>
> The RFC is probably much easier to read than the source code:
> http://tools.ietf.org/html/rfc4880

The RFC was fine but, for me, the code is authoritative especially when
I suspect implementation differences.

>> I had thought that the message digest hash (in this case SHA512)
>> should be the same since the input data is the same which-ever
>> signing method is used. This didn't work as I had expected so I have
>> been digging into the source-code to figure out what is different
>> between the two signing methods.
>
> In general the message digest hashes will differ. The reason for this is
> a different canonicalization of the signed text (provided the detached
> signature is a text document signature; if it's a binary document
> signature no canonicalization is applied). A main difference is the
> stripping of trailing whitespace in the text (which is done for
> cleartext signatures but not for text document signature).

Yes, I worked on that one too, checking that there was no white-space at end
of lines:

egrep '[\t ]$' Release | wc -l
0

I also tried replacing <LF> with <CR><LF> as per 5.2.1. and "Signature of a canonical text document".

gpg --verify <(echo -e "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n$(sed ':a;N;$!ba;s/\n/\r\n/g' Release)\n$(cat Release.asc.gpg)")
# gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89
# gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"

gpg --verify <(echo -e "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n$(sed ':a;N;$!ba;s/\n/\r\n/g' Release)\n$(cat Release.Test.detached.gpg)")
# gpg: Signature made Thu 28 Aug 2014 19:29:37 BST using RSA key ID 3591FB89
# gpg: BAD signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"

Looking at the code the signing path is either of:

g10/sign.c::sign_file()
g10/clearsign_file()

For sign_file() text_filter() and md_filter() are added to the input iobuf filter list.

For clearsign_file() copy_clearsig_text() is called, which in turn uses len_without_trailing_chars()
to copy the line excluding trailing whitespace from plaintext input to clearsign output.

For verify_signatures() and verify_files() (via verify_one_file()), armor_filter() is pushed onto the
iobuf filter list then proc_signature_packets() is called, which calls do_proc_packets() which,
during IOBUFCTRL_UNDERFLOW calls radix64_read() which skips whitespace characters.

This being the case I cannot see any opportunity for the plaintext that is the subject of the message
digest hashing to be different, which suggests that something else is added to the hashed value when
generating a detached signature.

gpg --verify Release.asc
# gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89
# gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"

gpg --verify Release.Test.detached.gpg Release
# gpg: Signature made Thu 28 Aug 2014 19:29:37 BST using RSA key ID 3591FB89
# gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"

gpg --verify Release.asc.gpg Release
# gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89
# gpg: BAD signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"




More information about the Gnupg-users mailing list