GnuPG does not detect injection of unsigned data

David Shaw dshaw at jabberwocky.com
Fri Jun 2 14:56:32 CEST 2006


On Thu, Jun 01, 2006 at 04:33:03PM +0200, gpgdev.5.signal11 at spamgourmet.com wrote:
> Hello,
> 
> From the background information in the announcement, it seems that this
> problem does not affect cleartext signatures. 
> 
> Am I correct, or is this a misinterpretation? The announcement sounds
> like gpg would still correctly verify (only) data covered by the signature, but then
> output data which is not covered by the signature. So it would still be safe to
> assume that anything between -----BEGIN PGP SIGNED MESSAGE----- and the
> following -----BEGIN PGP SIGNATURE----- is correctly validated(?).

The problem does not affect cleartext signatures.

Just for reference, the problem also does not affect signed software
tarballs (i.e. detached signatures), or PGP/MIME signed emails
(they're actually detached signatures).

The problem *might* affect PGP/MIME signed+encrypted emails,
signed+encrypted files in general, or unencrypted but binary (not
cleartext) signed messages.

David



More information about the Gnupg-devel mailing list