Difference between clearsign and detached signatures?
gnupg at iam.tj
Sun Aug 31 00:11:17 CEST 2014
On 30/08/14 22:20, Ingo Klöcker wrote:
> On Thursday 28 August 2014 22:53:52 TJ wrote:
>> The aim/hope was to combine the plaintext and detached signature into
>> the armored clearsign format and thus avoid needing to write one of
>> them to the file-system (the other can be supplied via stdin).
> You can probably use another approach than trying to create a
> clearsigned text from a signed text and its detached signature. On the
> command line one can provide both, the detached signature and the signed
> text, one after the other via stdin by running
> gpg --verify - -
> You need to separate the detached signature and the signed stuff with an
> EOT, e.g. on the console first you enter the armored detached signature
> and terminate it with Ctrl+D, then you enter the signed text and
> terminate it with Ctrl+D.
This would solve the issue I'm dealing with, but I can't get it to work here:
gpg --verify - - < <(echo -ne "$(cat Release.gpg)\004$(cat Release)\004")
gpg: Signature made Sat 30 Aug 2014 22:58:07 BST using RSA key ID 3591FB89
gpg: BAD signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) <detached at signature.org>"
cat -e < <(echo -ne "$(cat Release.gpg)\004$(cat Release)\004") | grep END
# -----END PGP SIGNATURE-----^DOrigin: Ubuntu$
With "--debug-all" I noticed that "dgbmd-00001.verify" is empty, which indicates no
plaintext was received.
> BTW, which language do you want to write the code in?
Well, I'm working in C to add another option to gpg, but the code that needs this is
a Python library (that imports python-gnupg) that enables the regular verification of the
GPG signatures of APT archive 'Release' files in all Debian/Ubuntu/related-distro
If I can find a way to pass both plaintext and detached signature via stdin
that would solve the issue - I'm trying to avoid any need to create temporary
files on the file-system.
More information about the Gnupg-users