What happened to this signature?

Moritz Klammler moritz at klammler.eu
Sun Sep 11 21:17:31 CEST 2016

Today, I've posted a signed message (OpenPGP MIME) to a public mailing
list I'm subscribed to.  When it was delivered back to me, the signature
was broken.  I investigated the case and found out that some silly MTA
had un-escaped a minus-character in the message body (quoted-printable)
and added a blank line at the top.  This is annoying but is adequately
explained by stupidity so it didn't alarm me.  Similar things have
happened to me many times in the past.  What *did* alarm me is that a
further investigation reveled that the signature itself was changed,

This is the original, good, signature as it was created by myself.

    -----END PGP SIGNATURE-----

And this is the signature as it came back to me.

    -----END PGP SIGNATURE-----

I have run `gpg --list-packets --verbose` on both signatures and found
that the "created", the "begin of digest" and the "data" field had
changed.  I've checked out RFC 4880 and concluded that "digest algo 8"
must mean that SHA256 has been used.  I *thought* that the "begin of
digest" field should then hold the two leftmost octets of the SHA256
hash of the signed message but this wasn't true for either message.  The
hashes are


for the original and modified messages respectively.  I'm confident that
I've hashed the correct parts of the MIME message because GnuPG verifies
the signature for the original message.

I'm not panicked because the changed signature file is invalid anyway
but I'm somewhat alerted whether the modified signature can still be
explained without assuming malice.  First of all, I would like to better
understand in what ways the signature was modified and appreciate any
help in analyzing the fields.  Secondly, I would like to know whether
this is something that happens on a regular basis to other people as
well.  I cannot see any signs of a real attack here because the message
was not altered in a way that an attacker could possibly benefit from.
The only conspiracy I can come up with is that somebody might have
wanted to challenge my awareness and test my response to such incidents.
Or simply annoy OpenPGP users such that they'll eventually stop using

Thanks in advance for any insights.


Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160911/99c21d06/attachment.sig>

More information about the Gnupg-users mailing list