Bad signatures issued on macOS
Werner Koch
wk at gnupg.org
Thu Jan 29 10:53:23 CET 2026
On Wed, 28 Jan 2026 10:38, John Soo said:
> Thanks Werner!
>
> I tried with -v --debug hashing and the content for hashing was not
> printed, is there another flag I need to use?
Let's see using some arbitrary signature
$ gpg --verify --debug hashing swdb.lst.sig swdb.lst
gpg: reading options from '/home/wk/.gnupg/gpg.conf'
gpg: reading options from '[cmdline]'
gpg: reading options from '/home/wk/.gnupg/common.conf'
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: enabled debug flags: hashing
gpg: enabled compatibility flags:
gpg: Signature made Fri 23 Feb 2024 02:34:37 PM CET
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: using pgp trust model
gpg: please do a --check-trustdb
gpg: Good signature from "Werner Koch (dist signing 2020)" [ultimate]
gpg: binary signature, digest algorithm SHA256, key algorithm ed25519
gpg: secmem usage: 0/32768 bytes in 0 blocks
$ ls -lt | head -3
total 29839972
-rw-r--r-- 1 wk wk 4725 Jan 29 10:44 dbgmd-00001.verify
-rw-r--r-- 1 wk wk 41 Jan 29 10:44 dbgmd-00002.unknown
dbgmd-00001.verify is the same as swdb.lst
dbgmd-00002.unknown is the trailer hashed after swdb.lst.
When creating the signature you should have seen
dbgmd-00001.sign with the to be signed data
dbgmd-00001.unknown with the trailer.
dbgmd-00001.unknown gets overwritten so you need to store it away for
later comparing.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260129/37cb8e79/attachment.sig>
More information about the Gnupg-users
mailing list