How to detect extraneous content in clearsigned (--clearsign) files?
Patrick Schleizer
patrick-mailinglists at whonix.org
Mon Jan 12 19:52:53 CET 2015
Werner Koch:
> On Mon, 12 Jan 2015 03:19, patrick-mailinglists at whonix.org said:
>
>> Suppose a file has been `--clearsign`ed. Then an adversary pretended or
>> appended extraneous content.
>
> That is what the signature is all about ;-). Use
>
> gpg --verify --output OUT SIGNEDDATA
>
> to write the _verified_ content of the file SIGNEDDATA to the file OUT.
> You also need to check the verification status of course.
Tried your syntax. And also tried this one:
gpg --output ./out --verify ./sha512sums.asc
Never created an "out" file for me.
However, what works for me is this:
gpg --output ./out --verify ./sha512sums.asc
When it exits 0, then this approach is sound, sane and fine?
-----
Is there a way to detect, that a file looks like this:
##################################
b4e5ac6ceb9812dacf1f5db26c65b3329da031b0ef5a6107e38e2d92b91ae5f6daff6e6774fbb0ab5bb4148ae4f71b4511595149876f181c40fba5ec0e20a399
test
##################################
vs a file looking like this:
##################################
prepended content
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
b4e5ac6ceb9812dacf1f5db26c65b3329da031b0ef5a6107e38e2d92b91ae5f6daff6e6774fbb0ab5bb4148ae4f71b4511595149876f181c40fba5ec0e20a399
test
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----
appended content
##################################
Any way to distinguish both states?
Cheers,
Patrick
More information about the Gnupg-users
mailing list