Obtain a signature ID with only a sig file?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 2 03:02:33 CET 2013


On 01/01/2013 05:39 PM, Jeff Hanson wrote:
> Is there a way to obtain the signature ID from a detached sig file without
> the signed file?  I haven't been able to get anything out of gpg without
> both files present.

If you're talking about the "SIG_ID", then i don't think that's
possible.  According to the DETAILS file
(/usr/share/doc/gnupg/DETAILS.gz on debian-ish systems):

>>     SIG_ID  <radix64_string>  <sig_creation_date>  <sig-timestamp>
>>         This is emitted only for signatures of class 0 or 1 which
>>         have been verified okay.  The string is a signature id
>>         and may be used in applications to detect replay attacks
>>         of signed messages.  Note that only DLP algorithms give
>>         unique ids - others may yield duplicated ones when they
>>         have been created in the same second.
>> 
>>         Note, that SIG-TIMESTAMP may either be a number with seconds
>>         since epoch or an ISO 8601 string which can be detected by the
>>         presence of the letter 'T' inside.

And you can't have a signature that's "verified okay" if you don't have
the data that was signed, since the OpenPGP signature block doesn't
contain the digested data itself (v3 data signatures contain the two
leftmost octets of the digest, but that's certainly not enough to
calculate the SIG_ID).

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130101/5fc7e06d/attachment.pgp>


More information about the Gnupg-users mailing list