Inconsistency in standalone signature definitions
Andrew Gallagher
andrewg at andrewg.com
Thu Oct 31 00:44:20 CET 2024
There appears to be an inconsistency in the librepgp spec regarding standalone signatures.
Section 5.2.1 (Signature Types) states:
```
0x02 Standalone signature. ... It is calculated identically to a signature over a zero-length binary document.
```
But then Section 5.2.4 (Computing Signatures) states:
```
A V5 signature hashes…
…
Only for document signatures (type 0x00 or 0x01) the following three data items are hashed here:
```
Read alone, this implies that a V5 type 0x02 signature is *not* the same as a V5 type 0x00 signature over a zero-length file.
However immediately afterward it then clarifies:
```
Note that for a detached signatures this means to hash 6 0x00 octets
```
It would be more consistent (and less confusing) to update the second text snippet above to read:
```
Only for document signatures (type 0x00, 0x01 or 0x02) the following three data items are hashed here:
```
Since the three extra fields (albeit with constant zero values) are included in the hash for V5 0x02 sigs.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20241030/d40bf9bb/attachment.sig>
More information about the LibrePGP-discuss
mailing list