detached signature, "can't hash datafile: No data"
Sami Badri
sami.badri at gmail.com
Sat Jan 1 20:01:52 CET 2022
On 12/31/21 23:12, Robert J. Hansen via Gnupg-users wrote:
>> Shouldn't I be able to verify the signature independently?
>
> Why?
>
> A signature is a piece of data that attests another piece of data is
> unchanged. If it doesn't have a second piece of data to compare to,
> all it can say is "I have a good digital signature that attests to a
> hash value of XYZ for some piece of data, but, uh ... where's the data?"
>
Makes sense. I see my mistake. I was practicing on my own created
signatures on my own files. So I was able to verify my own .sig because..
gpg: assuming signed data in '/Users/samibadri/desktop/cryptcommands.txt'
gpg: Signature made Sat Jan 1 13:06:36 2022 EST
gpg: using RSA key 5CD9A3BC1577A0FDB8B11CD02DE90FECE5438DA0
gpg: Good signature from "SamiB (pgp key pair #1)
<sami.badri at gmail.com>" [ultimate]
> Detached signatures (clearsign signatures being one kind of them) do
> not include the original data. You can sign gigabytes of data and the
> detached signature will still be only a few hundred bytes in size,
> because the original data isn't there.
>
I would've thought that a clearsign signature preserves the data above
the pgp signature, in plaintext. Isn't the plaintext above the
signature the original data?
S.B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220101/0978440d/attachment.html>
More information about the Gnupg-users
mailing list