<html><head></head><body><div dir="auto">STOP</div><br><br><div class="gmail_quote"><div dir="auto">On February 6, 2026 12:27:20 PM MST, gnupg-users-request@gnupg.org wrote:</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail"><div dir="auto">Send Gnupg-users mailing list submissions to<br> gnupg-users@gnupg.org<br><br>To subscribe or unsubscribe via the World Wide Web, visit<br> <a href="https://lists.gnupg.org/mailman/listinfo/gnupg-users">https://lists.gnupg.org/mailman/listinfo/gnupg-users</a><br>or, via email, send a message with subject or body 'help' to<br> gnupg-users-request@gnupg.org<br><br>You can reach the person managing the list at<br> gnupg-users-owner@gnupg.org<br><br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of Gnupg-users digest..."<br><br><br>Today's Topics:<br><br> 1. Re: Bad signatures issued on macOS (John Soo)<br> 2. Re: Bad signatures issued on macOS (Werner Koch)<br> 3. [Announce] Libgcrypt 1.12.0 released (Werner Koch)<br> 4. Extra socket forwarding - SUCKS (John Runyon)<hr>Message: 1<br>Date: Wed, 28 Jan 2026 10:38:37 -0700<br>From: John Soo <john.soo+gnupg-users@arista.com><br>To: John Soo via Gnupg-users <gnupg-users@gnupg.org>, John Soo<br> <john.soo+gnupg-users@arista.com><br>Subject: Re: Bad signatures issued on macOS<br>Message-ID:<br> <CAJyRyRroZaE2ZySmO6R-fmYW2kAHuRtWAW+F+vgHKTmKU5itHg@mail.gmail.com><br>Content-Type: text/plain; charset="UTF-8"<br><br>Thanks Werner!<br><br>I tried with -v --debug hashing and the content for hashing was not<br>printed, is there another flag I need to use?<br><br>For reference, this was a good sig:<br><br>gpg: reading options from '[cmdline]'<br>gpg: reading options from '/Users/<redacted>/.gnupg/common.conf'<br>gpg: enabled debug flags: hashing<br>gpg: enabled compatibility flags:<br>gpg: using subkey B67EB1E57374A315 instead of primary key 6E628CC4145FD2ED<br>gpg: writing to 'data.txt.asc'<br>gpg: RSA/SHA256 signature from: "B67EB1E57374A315 <redacted>"<br>gpg: secmem usage: 1344/32768 bytes in 2 blocks<br><br>signature was<br>-----BEGIN PGP SIGNATURE-----<br><br>iQEzBAABCAAdFiEEG34w4o9D0vlGnPYqtn6x5XN0oxUFAml6SJwACgkQtn6x5XN0<br>oxXMrgf9HQbhUZZUp+pPHSpT5Rw3GvnJLH5Sq5KUtmEYs0PArjwNN86OeHN+EENd<br>f5F2PXHCTtNgY4OKibm5iJWO1qsCVKJeg/nhdqdx6xLuskAzBi5ogKJOfORSYKpY<br>vLvRWbK55ag4iZqxeLJHrt6Chu9qsdlPyWMptzSQGlX2+9fVybmghdthFiUUOoBk<br>FZDXuH1s30pUha7h4mNAn52A3P8pIpqX4f46vRTCYqjTtRuc1bXotQFvcmv8WmP+<br>URcluMyQc4G5eSBGAeTODtgOBTLntvWMbFxLopO9o7HSIiKUNqgJxl6ZtUzbUxQu<br>hziwl6C2gT+1/OUn16hz1m8cIEkAJA==<br>=m0Gd<br>-----END PGP SIGNATURE-----<br><br>verification was<br>gpg: reading options from '[cmdline]'<br>gpg: reading options from '/Users/<redacted>/.gnupg/common.conf'<br>gpg: enabled debug flags: hashing<br>gpg: enabled compatibility flags:<br>gpg: Signature made Wed Jan 28 11:34:20 2026 CST<br>gpg: using RSA key 1B7E30E28F43D2F9469CF62AB67EB1E57374A315<br>gpg: using subkey B67EB1E57374A315 instead of primary key 6E628CC4145FD2ED<br>gpg: using pgp trust model<br>gpg: Good signature from "<redacted>" [unknown]<br>gpg: WARNING: This key is not certified with a trusted signature!<br>gpg: There is no indication that the signature belongs to the owner.<br>Primary key fingerprint: 1510 C864 04E2 F6EC A028 71DB 6E62 8CC4 145F D2ED<br> Subkey fingerprint: 1B7E 30E2 8F43 D2F9 469C F62A B67E B1E5 7374 A315<br>gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048<br>gpg: secmem usage: 0/32768 bytes in 0 blocks<br>result: succeeded<br><br><br>--- John<br><br>On Wed, Jan 28, 2026 at 7:19?AM Werner Koch <wk@gnupg.org> wrote:<br></div><blockquote class="gmail_quote" style="margin-bottom: 1ex; --com-fsck-k9__blockquote-default-border-color: #729fcf;"><div dir="auto"><br> Hi!<br><br> On Tue, 27 Jan 2026 15:33, John Soo said:<br><br></div><blockquote class="gmail_quote" style="margin-bottom: 1ex; --com-fsck-k9__blockquote-default-border-color: #ad7fa8;"><div dir="auto">Running the following script will often issue a bad signature after<br>only a few rounds:<br></div></blockquote><div dir="auto"><br> You may run into problems when mixing stdout and stderr (&>FILE). Also<br> please do not use --debug-level guto or any other of those debug<br> levels; they are too noisy or don't print what you want.<br><br> Always use -v or --verbose and then selected debug flags. In your case<br> I would suggest<br><br> --debug hashing<br><br> which writes files with what was actually hashed for signature creation<br> and verification. Compare them.<br><br><br><br> Shalom-Salam,<br><br> Werner<br><br><br> --<br> The pioneers of a warless world are the youth that<br> refuse military service. - A. Einstein<br></div></blockquote><div dir="auto"><hr>Message: 2<br>Date: Thu, 29 Jan 2026 10:53:23 +0100<br>From: Werner Koch <wk@gnupg.org><br>To: John Soo via Gnupg-users <gnupg-users@gnupg.org><br>Cc: John Soo <john.soo+gnupg-users@arista.com><br>Subject: Re: Bad signatures issued on macOS<br>Message-ID: <87ms1wycbw.fsf@jacob.g10code.de><br>Content-Type: text/plain; charset="us-ascii"<br><br>On Wed, 28 Jan 2026 10:38, John Soo said:<br></div><blockquote class="gmail_quote" style="margin-bottom: 1ex; --com-fsck-k9__blockquote-default-border-color: #729fcf;"><div dir="auto"> Thanks Werner!<br><br> I tried with -v --debug hashing and the content for hashing was not<br> printed, is there another flag I need to use?<br></div></blockquote><div dir="auto"><br>Let's see using some arbitrary signature<br><br> $ gpg --verify --debug hashing swdb.lst.sig swdb.lst<br> <br> gpg: reading options from '/home/wk/.gnupg/gpg.conf'<br> gpg: reading options from '[cmdline]'<br> gpg: reading options from '/home/wk/.gnupg/common.conf'<br> gpg: NOTE: THIS IS A DEVELOPMENT VERSION!<br> gpg: It is only intended for test purposes and should NOT be<br> gpg: used in a production environment or with production keys!<br> gpg: enabled debug flags: hashing<br> gpg: enabled compatibility flags:<br> gpg: Signature made Fri 23 Feb 2024 02:34:37 PM CET<br> gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA<br> gpg: using pgp trust model<br> gpg: please do a --check-trustdb<br> gpg: Good signature from "Werner Koch (dist signing 2020)" [ultimate]<br> gpg: binary signature, digest algorithm SHA256, key algorithm ed25519<br> gpg: secmem usage: 0/32768 bytes in 0 blocks<br><br> $ ls -lt | head -3<br> total 29839972<br> -rw-r--r-- 1 wk wk 4725 Jan 29 10:44 dbgmd-00001.verify<br> -rw-r--r-- 1 wk wk 41 Jan 29 10:44 dbgmd-00002.unknown<br><br>dbgmd-00001.verify is the same as swdb.lst<br>dbgmd-00002.unknown is the trailer hashed after swdb.lst.<br><br>When creating the signature you should have seen<br>dbgmd-00001.sign with the to be signed data<br>dbgmd-00001.unknown with the trailer.<br><br>dbgmd-00001.unknown gets overwritten so you need to store it away for<br>later comparing.<br><br><br>Salam-Shalom,<br><br> Werner<br><br><br></div></pre></blockquote></div><div dir="auto"><div class='k9mail-signature'>-- <br>"I'm old but I'm not obsolete," <br>Arnold Schwarzenegger <br>Terminator Genisys</div></div></body></html>