bug wrt. verification of detached sigs and -t

Alexander Zangerl a.zangerl at xsoft.at
Mon Feb 14 10:08:57 CET 2000


the scenario:

generate a file with some text, and put some trailing blanks or other
whitespace on one line.

detached-sign it using gpg, and be sure to use canonical text mode (-t).

if you try to verify the signature, gpg tells you that it's bad and
not matching the contents.

now remove the trailing whitespace from the file you've signed, and
retry the verification of the unchanged signature vs the hand-stripped
file: gpg now tells you all is ok.

my interpretation of this (and earlier discussions about 5.2.1 of rfc2440
on this list): gpg does strip trailing whitespace when computing the
signature in the first place, as rfc2440 mandates for signature class
1 (canonical text), but it does not strip the spaces when computing the 
signature for verification.

this behaviour was tested using version 1.0.1.
a crosscheck with pgp 2.6.3i showed the expected behaviour, 
ie. detached-signing with text-mode and verification of said signature 
works for data with trailing whitespace.

IMHO this is a bug in the conversion of data to canonical text format
when verifying signatures of class 1: i'd expect that while gpg 
might not be able to interoperate with all the possible implementations
of this feature in earlier/other *gp implementations, it should at least
be consistent taken by itself and be able to verify its own signatures
correctly.

regards,
az

-- 
++ Dipl.-Ing. Alexander Zangerl          Xsoft GmbH. ++
++ a.zangerl at xsoft.at           http://www.xsoft.at/ ++
++ phone +43 1 7963636 - 28    fax +43 1 7963636 - 18 ++



More information about the Gnupg-devel mailing list