Page MenuHome GnuPG
Create Task
Maniphest T1433

gnupg adds extra hyphen when signing plaintext (changing original message!)
Closed, InvalidPublic
Actions

Description

When adding a signature, any line whose first character is a '-' becomes an
additional '- ' in the signed text, changing the text which was signed. For
example, I habitually sign my e-mails with just '-j'. If I clearsign this, this
is the result:

josh@howlingfantods:/tmp$ cat test.txt
test

-j
josh@howlingfantods:/tmp$ gpg -u b4d9087b --clearsign test.txt

You need a passphrase to unlock the secret key for
user: "Josh Buhl (For School Use Only) <buhl@stormarnschule.de>"
2048-bit RSA key, ID B4D9087B, created 2012-06-11
josh@howlingfantods:/tmp$ cat test.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

test

  • -j

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEVAwUBUBPLke84rWS02Qh7AQIseggAsmsFoZCmXYkrz190rNTuD0eyqkdW+Ux9
qVchzRkazToinBHWKxk2ys6nqMQyxN9y/irU0hlz2c1hkhlwtJqv1xoHwPBafUL0
5WZM5iIuaCVXTMd5XlPshYIkc4f8qkmcaVA6Qa2FV49irysX8Fr3ntZK7I9rw2wz
hojb8oRgpU32MXZ3TCeat0MUhkI3AdS9L6w0TZwCnfaVEdnYY4gDNxmrKLN415ex
bLOkMXcczOmudV0cqCucDcJCY5FasZLqqu2VIW/zpwz/trsQ5c/PvCT4XaEwebN0
XRZxUZwFhzYIjzpz9EGrwS93sGacyhz8e8iHtkC7iBJ8odKpG8mJog==

lxNz

-----END PGP SIGNATURE-----

adding an additional '- ' in front of my signature.

In a way trivial, but in a way serious, since it's actually changing the text it
was supposed to guarantee is from the author.

cheers,

-j

Details

Version
1.4.12

Event Timeline

jbuhl added projects: gnupg, Bug Report.Jul 28 2012, 1:27 PM
jbuhl set Version to 1.4.12.
jbuhl added a subscriber: jbuhl.
werner closed this task as Invalid.Aug 1 2012, 7:10 AM
werner removed a project: Bug Report.
werner added a subscriber: werner.

That is not a bug but required by the specs. Leading dashed are required to be
escaped by "- "; see RFC 4880. Use "--output FILE" to get the cleartext.