Re: Outstanding question - rule on cleartext signing last line

<vedaal@hush.com> Mon, 26 December 2005 23:16 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Er1a3-0003Jv-RF for openpgp-archive@megatron.ietf.org; Mon, 26 Dec 2005 18:16:40 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA16495 for <openpgp-archive@lists.ietf.org>; Mon, 26 Dec 2005 18:15:29 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jBQN5isl041113; Mon, 26 Dec 2005 15:05:44 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jBQN5ijI041112; Mon, 26 Dec 2005 15:05:44 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jBQN5hMO041106 for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 15:05:43 -0800 (PST) (envelope-from vedaal@hush.com)
Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id E1ED5A32EC for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 15:05:42 -0800 (PST)
Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 15:05:42 -0800 (PST)
Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id jBQN5gZD077843 for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 15:05:42 -0800 (PST) (envelope-from vedaal@hush.com)
Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id jBQN5fE1077842 for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 15:05:41 -0800 (PST)
Message-Id: <200512262305.jBQN5fE1077842@mailserver2.hushmail.com>
Date: Mon, 26 Dec 2005 15:05:37 -0800
To: ietf-openpgp@imc.org
Subject: Re: Outstanding question - rule on cleartext signing last line
From: vedaal@hush.com
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Mon, 26 Dec 2005 13:32:13 -0800 "Daniel A. Nagy" 
<nagydani@epointsystem.org> wrote:
>On Mon, Dec 26, 2005 at 05:03:59PM +0000, Ben Laurie wrote:
>
>> I have just tested GPG yet again, and cleartext signatures of 
>two files,
>> one without a newline at the end, and one with, look identical:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> test
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (FreeBSD)
>
>Yepp, that's a bug in GPG and it does not follow from the spec. My
>implementation does not do that. In my opinion, the correct 
>behavior would
>be reversible.
>The output of gpg --clearsign should be identical to that 
>converted from the
>output of gpg -ts.

i really can't see any bug in gnupg about this

gnupg clearsigns exactly what the user gives it

if the user gives it text with no empty line after it,
then the signature block begins right after the text

if the user wants a blank line and includes the line return, 
then gnupg signs after the empty line

they are *not* identical or interchangeable

here are two, one with the empty line, 
and one without:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 test
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul

iQIVAwUBQ7BzPayhY/YEre4gAQgQGBAAhBa1fSRR/gajgxH77fVAUn4UXQPiB9/b
ZTYhwLBaGi6JtyH3JiKCKlLFFqlioGkuXKORu0mq5zOF+jDHNOTSrKAQ5Px0u7XL
Kt4xpV5x2EIGXo3aTl7Z+NFDkXBGQ+EombpZhRg4bhH+1jWc5R6M3VzIEhojqZfy
4RxAKxrtswZYCzlat860lrLuMSbpJYEQmN9i127o31aBc8AlX0cV5RTUMxVOh6ql
KR2Xv5kQkWw3rATrliluFzUzyFAoIOYPiILWhYuG5/ONBqC+L0ap/HO0fL7+aB03
woZBfJ/AEyJU/bKSV1/yyJCsLO73olv+MG5ugFrR2dRfcFDG7GNhJPxI8a8iV7S1
mXhoJS8EQZqL1qN7fV14IL5VF5weTothV0FO4CnewX+pXXH/SNsGEXh0Y7+P4UG+
Z4Vinlv7V8JJIE5lz1ISULPeLKhFUT7L7YesMHs+WpOm1sWD0KJIh+PZNrPSmVmB
Ordu/Eob4ICupSMZkdgQ2AUY8GUUkiUvM2+OexdVo73P07V7DVNixoukEtEA+hVx
GmYVSQvpQ5edjXP/DITkQF+JI4FdsWl7McpgmpntSFqj+p99XCXBz3DozvuyuY/x
baA7SKK+mUVzvhzyM2Pu03RV0XQv5un+zeulaOEkR9WsHqCHM2GDhIwYZayuq58q
GVWZ1eiaFao=
=uGPl
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

test
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Acts of Kindness better the World, and protect the Soul

iQIVAwUBQ7BzkqyhY/YEre4gAQjcbg//fj4Y4nfzqHLT57Ud/ru7vPf28vv1x5ph
rIV2NUHrrg5rEJ+zt6mj/OsrlOZV8ijcK21hUj/YWPuZOYN6PSme5M5gDYz8qQAe
baXnTeh0nuEPdKiH/sYo6jqFw7umRTQk+9vbgGuWnwMTtwoWIXt4zxKkSX1SSJi2
3XKVebMl0LlXPnLTIDyYRHmuJUux+2lEculEBo0gi/SDI3X6KOMWdUrXqVaQBnYe
0QZGGk3MN8NMtUhioOUMLrK1EN5DeGHaJG7Q1I8B9cma50fYEZTc097Rl8KDKPwS
2UfVCzO/Rc00yi8VFrmIglzwvOAd0cYYYfoNUjmJj6vILrpNqj+3KQOt7lG3fOUQ
Pq/QRmB6Hoy7nm8wP3KrQPlbz3Ntbhbqnc/x+yhm3p1QndwnJpvSOjXiLcxim7Ij
OAv14bXUhy5HKWwlDIZVessW1Hnz3IjDizw82Ct6VMtFpL0YmHmD+KD6tMRw1XIF
973u7ub/vGRNg2yPA1UfpEFnZZeUwgkvK0hs2FB9aSGi4gsg3rZmxgu108KpUMak
AOA3zwalf+omfZCJSLJNtRb3iF9bpsidw238npKU7dahOH5MNLykk7+zsk2ONsn7
RYkaf4W1st2DgGcnpNYx+PmN2SPgWMJxTzmPpJATgxdgkONEzU9NDdaL3SvxskYo
+5DxZzT/4bU=
=+LRk
-----END PGP SIGNATURE-----

addition or subtraction of the empty line, invalidates the signature

and this is also true of all commandline pgp versions


vedaal




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485