gnupg bug #1692 - was: Validation of clear signed signatures broken for appended space(s)
GPG2 2.0.22 (found in 2.0.18)
10.8.5
When creating a clear-signed signature and then modifying the clear-signed portion by appending spaces up to a newline, the --verify finds the integrity of the file as valid. This appears to be minor for two reasons:
- Only spaces that are appended appear to cause this
issue
- One can simply use a detached signature to avoid this issue
However, I find that due to the intent behind this feature, it is indeed a bug.
Please describe what you did expect instead
I expected the verification to fail since the integrity of the
clear signed message had been tampered with. According to GPG2(1),
the clear signed portion is the only portion validated and
understandably so. In other words, I expected:
…
gpg: BAD signature from "Ray Daley [email blocked]"
If you remember, please describe the steps leading up to the problem
Create a sample file
$ echo Hello > foo.txt
Verify its SHA-1 hash
$ gpg --print-md sha1 < foo.txt 1D22 9271 928D
3F9E 2BB0 375B D6CE 5DB6 C6D3 48D9
Compare the previous against a 3rd party tool to ensure we
arrive at a matching SHA-1 hash (i.e., I used openssl)
$ cat foo.txt | openssl sha1
1d229271928d3f9e2bb0375bd6ce5db6c6d348d9
Generate a clear-signed representation
$ gpg --clearsign foo.txt
You need a passphrase to unlock the secret key for
user: "Ray Daley [email blocked]"
4096-bit RSA key, ID 8FF8A1FA, created 2010-02-02
...
Verify the integrity (no modification)
$ gpg --verify foo.txt.asc gpg: Signature made Mon May 12 20:10:05
2014 MST using RSA key ID 8FF8A1FA
gpg: Good signature from "Ray Daley [email blocked]"
After appending one or more spaces to the original text
$ gpg --verify foo.txt.asc gpg: Signature made Mon May 12 20:12:22
2014 MST using RSA key ID 8FF8A1FA
gpg: Good signature from "Ray Daley [email blocked]"
Note:
- Prepending any number of spaces produces expected results (i.e.,
bad signature) - Any other tested character seems to result in an
expected failure (however, I did not try every character due to
time constraints) - Workaround (and agreed best practice) is to use
a detached signature
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Luke Le on 28 May, 2014 03:13 PM
Hi Ray,
this is in fact very interesting. I can reproduce it here and it seems to be a "bug" (or maybe it's also on purpose) of gnupg. Could you file a bug with them on https://bugs.gnupg.org/gnupg ?
Thanks.
Support Staff 2 Posted by Steve on 05 Aug, 2014 10:27 AM
Did you bring this up with gnupg?
3 Posted by rcdsox on 17 Aug, 2014 08:06 PM
Hello,
So sorry for the delayed response - personal issues have prevented me from providing an update until now. I submitted the bug today:
https://bugs.g10code.com/gnupg/issue1692
--Ray
Support Staff 4 Posted by Steve on 18 Aug, 2014 04:44 PM
Awesome, thanks for taking care. Let's see where it goes.
5 Posted by rcdsox on 25 Aug, 2014 10:21 PM
Update:
Looks to be a non-issue (makes sense once I took a look at http://tools.ietf.org/html/rfc4880#section-7.1). Here is the response for your records: https://bugs.g10code.com/gnupg/issue1692
This issue may be considered closed.
--
Ray
Support Staff 6 Posted by Steve on 03 Sep, 2014 05:49 PM
ok, thanks for keeping us posted on this matter. I'm closing this discussion. If you need further assistance or have questions you can re-open this discussion here or open a new one any time.
Best, steve
Steve closed this discussion on 03 Sep, 2014 05:49 PM.