Slightly OT - i need the proper wording for a signed document
Stefan Claas
stefan.claas at posteo.de
Thu Nov 1 23:50:48 CET 2018
Hi veedal,
On Thu, 01 Nov 2018 15:20:33 -0400, vedaal via Gnupg-users wrote:
> Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas:
> > On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote:
>
> ....
>
> > That is the reason why i like to sign the .pdf, containing my key
> > data, with a qualified eIDAS conform signature. The detached GnuPG
> > sig should be an additional info, that matches the key data in the
> > document.
>
> =====
>
> This will work well in that if the signature verifies, then the
> information in the .pdf can be considered reliable.
>
> It is, however, very easy for a MITM attack to 'break' the signature
> by very subtly altering the pdf.
>
>
> Try this:
>
> [1] Take your finished pdf and select all the text and copy it into a
> new Libre Office document.
>
> [2] At the end of your text, just add a period.
>
> [3] Use Libre Office's font coloring to change the color of the added
> period to white.
>
> [4] Export this new document as a pdf with the same file name as your
> original pdf, and the same metadata.
>
> [5] The pdf looks exactly the same, but the signature will no longer
> verify.
>
>
> I don't trust a detached, signed pdf
> (Again, I do, if it verifies, but am not sure if it doesn't verify).
>
> A simple, but slightly tedious workaround, would be to GnuPG Armor
> Sign the .pdf
>
> The elDAS signature will still work, but the Armored Signed message
> is much harder to alter, and such alteration is detectable as
> malicious rather than a 'mistake.
Thank you very much for this valuable information, much appreciated!
It is now a bit late, but i will try this out tomorrow.
> Also,
> If you are planning to post your public keyblock in this pdf, please
> be aware that pdf treats a line return as empty whitespace, so when
> trying to import the key, GnuPG does not recognize the empty
> whitespace, and reads the version line as continuous with the
> keyblock, and it won't import.
The idea was to only publish the key data from an output like
gpg --check-sigs, which should give a user enough data.
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181101/e3c438c7/attachment.sig>
More information about the Gnupg-users
mailing list