Slightly OT - i need the proper wording for a signed document

Stefan Claas stefan.claas at posteo.de
Thu Nov 1 23:50:48 CET 2018


Hi veedal,

On Thu, 01 Nov 2018 15:20:33 -0400, vedaal via Gnupg-users wrote:
> Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:
> > On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:  
> 
> ....
> 
> > That is the reason why i like to sign the .pdf, containing my key
> > data, with a qualified eIDAS conform signature. The detached GnuPG
> > sig should be an additional info, that matches the key data in the
> > document.   
> 
> =====
> 
> This will work well in that if the signature verifies, then the
> information in the .pdf  can be considered reliable.
> 
> It is, however, very easy for a MITM attack to 'break' the signature
> by very subtly altering the pdf.
> 
> 
> Try this:
> 
> [1] Take your finished pdf and select all the text and copy it into a
> new Libre Office document.
> 
> [2]  At the end of your text, just add a period.
> 
> [3] Use Libre Office's font coloring to change the color of the added
> period to white.
> 
> [4] Export this new document as a pdf with the same file name as your
> original pdf, and the same metadata.
> 
> [5] The pdf looks exactly the same, but the signature will no longer
> verify.
> 
> 
> I don't trust a detached, signed pdf
> (Again, I do, if it verifies, but am not sure if it doesn't verify).
> 
> A simple, but slightly tedious workaround, would be to  GnuPG Armor
> Sign the .pdf
> 
> The elDAS signature will still work, but the Armored Signed message
> is much harder to alter, and such alteration is detectable as
> malicious rather than a 'mistake.

Thank you very much for this valuable information, much appreciated!

It is now a bit late, but i will try this out tomorrow.

> Also,
> If you are planning to post your public keyblock in this pdf, please
> be aware that pdf treats a line return as empty whitespace, so when
> trying to import the key, GnuPG does not recognize the empty
> whitespace, and reads the version line as continuous with the
> keyblock, and it won't import.

The idea was to only publish the key data from an output like
gpg --check-sigs, which should give a user enough data.

Regards
Stefan


-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181101/e3c438c7/attachment.sig>


More information about the Gnupg-users mailing list