Fwd: Using gpg to sign database information, problems with signature verification

Rodolfo Conde rodolfo.conde at compumed.com.mx
Tue Jun 17 01:11:17 CEST 2014

    Hi everyone,

    I have been using gnupg to secure my personal data for a long time
and it has worked very fine. But now I need to use it in a very
different way. I have developed a dll in .net (with c#) which must
encapsulate the program gpg. Thus, the dll is a library wrapper that
provides my .net programs with basic encryption/decryption and
signing/verification of information used in these programs.  The signing
process implemented in the dll is separate signing, so that the signed
data is not included in the gpg signature. The dll uses the .net Process
class to invoke the gpg executable. 

    So far so good, the dll behaves well in general, but now I need to
use this dll with a c# program which manipulates information stored in a
database. In general, I have some database tables which contain a column
named "signature" that stores the gpg-generated signature (using the
dll) of the rest of the columns in the corresponding table. Each time a
new row is generated,  the data of some columns is gathered to build a
string which is then used to generate the signature column of the new
row. All the information is inserted in the database and the signing
process is completed for the new row.

    The problem comes later, when I want to verify that the database
information has not been altered by an external party. My c# program can
retrieve the information stored in a row of a table with the signature
column and then it builds again the string used to sign the row data and
then this string together with the signature generated in the previous
step are feed to my gpg dll wrapper to perform a verification process
using the gpg executable. In general, the verification process works
fine, but there are times in which gpg tells me that the signature or
the data is wrong... but no one has altered the data in the database !!!
As I have said, this happens from time to time. It is very important
that the verification process works in the right way every time, such
that if the dll wrapper says something is wrong, it is because the data
has been really altered.

    My question is: What could be wrong ? Why sometimes gpg tells me
that the signature is bad or that the data has been altered ? Could it
be some issue concerning character encodings ? Why the data is altered
when I download it from the database Server? Any hints ?

    Thanks a lot in advance !!!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140616/7bb2fe31/attachment.html>

More information about the Gnupg-users mailing list