GPGSM detached signature without auth attributes

Werner Koch wk at gnupg.org
Tue Nov 22 08:06:31 CET 2016


On Sun, 20 Nov 2016 20:47, jernej at kos.mx said:

> detached CMS signature. The kernel requires that the CMS does not
> contain any authenticated attributes and it refuses to validate the
> signature otherwise [1].

That is unfortunate because all modern implementations use the
indirect signing method (using the attribute 1.2.840.113549.1.9.4).
GPGSM is able to verify the old direct signing method but it can't
create such an old signature.

To change this we need to extend libksba, which I believe can be done
without updating the API.  Also we need to add an option to gpgsm (easy)
and implement the old method (a few hours).

Instead of doing that I would suggest to extend Linux and implement
verification of the indirect signature.  An update to gpgsm would then
be simple by adding an option to not emit any of the other signed
attributes,


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161122/253a8a93/attachment-0001.sig>


More information about the Gnupg-users mailing list