How to detect extraneous content in clearsigned (--clearsign) files?

Mon Jan 12 23:09:29 CET 2015

On 1/12/2015 at 1:50 PM, "Patrick Schleizer" <patrick-mailinglists at whonix.org> wrote:

>>   gpg --verify --output OUT SIGNEDDATA
-----
>gpg --output ./out --verify ./sha512sums.asc
>
>When it exits 0, then this approach is sound, sane and fine?
-----

There is a way of addition to clearsigned messages that is not detectable:

Adding 'spaces' at the end of the line of visible characters.

Here is a clearsigned message without any spaces added:

It is possible to add blank spaces to the end of the visible characters on each line, as long as it doesn't result in a new line wrap,
and the signature will still verify.

Don't know of any practical exploits of this property, other than possibly intentionally padding the files to use up someone's storage, 
(not likely in today's large storage capacity ;-)   )

It could be useful if  a sender and receiver would agree on a special code as to the padding,
i.e. if someone is being forced to sign something, the sender and receiver could agree
that adding the following spaces to each line for 4 lines:  
7
7
2
4 

would signify the hidden message:

signing 
against
my 
will

(but this could also easily be forged by anyone who knew the system ...)

Anyway, just a curiosity of which users should be aware.

Absolutely *no* suggestions/requests to change GnuPG in any way
(which wouldn't be backward compatible anyway)

Armored signing, or a detached signature of a text file,  *will*  detect any spaces added on to a line.

vedaal