[Announce] GnuPG 2.1.0 "modern" released
Simon Nicolussi
sinic at sinic.name
Tue Nov 11 00:51:19 CET 2014
I wrote:
> I've attached an exemplary signature file (named gnupg-2.1.0.tar.bz2.sig
> for your convenience) that demonstrates the problem:
Addendum: I noticed that GnuPG releases and git tags are signed with the
same key. Abusing the latter, I'm able to generate far smaller signature
files. The date is now also correct (although the time is still off):
> $ echo evil stuff > gnupg-2.1.0.tar.bz2
> $ gpg2 --verify gnupg-2.1.0.tar.bz2.sig
> gpg: Signature made Wed Nov 5 15:30:17 2014 CET using RSA key ID 4F25E3B6
> gpg: Good signature from "Werner Koch (dist sig)" [full]
As the generated signature file was even smaller than the original one,
I padded it to full length with a private/experimental packet (tag 60):
> $ wc -c gnupg-2.1.0.tar.bz2.sig{,.orig}
> 861 gnupg-2.1.0.tar.bz2.sig
> 861 gnupg-2.1.0.tar.bz2.sig.orig
--
Simon Nicolussi <sinic at sinic.name>
http{s,}://{www.,}sinic.name/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.1.0.tar.bz2.sig
Type: application/octet-stream
Size: 861 bytes
Desc: not available
URL: </pipermail/attachments/20141111/3796bc8f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: </pipermail/attachments/20141111/3796bc8f/attachment.sig>
More information about the Gnupg-users
mailing list