Verified plaintext does not match original plaintext
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	jholt
	Sep 30 2017, 12:20 AM

Description

I clearsign some random data. Then I verify the signature. The verified output file differs (in contents and size) from the original. WTF?

To reproduce: create new key/ring, create random file, clearsign, verify, compare:

j@freedom:~/tmp/gpg-bug$ rm -rf ~/.gnupg

j@freedom:~/tmp/gpg-bug$ gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/j/.gnupg' created
gpg: new configuration file `/home/j/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/j/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/j/.gnupg/secring.gpg' created
gpg: keyring `/home/j/.gnupg/pubring.gpg' created
Please select what kind of key you want:

(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
...blah blah blah...
gpg: /home/j/.gnupg/trustdb.gpg: trustdb created
gpg: key 145A85DB marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 3072D/145A85DB 2017-09-29

Key fingerprint = 548D 69CE 3F94 9513 6462  BCF8 8A44 2BDC 145A 85DB

uid adsfg (asdfg) <foo@example.com>

Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.

j@freedom:~/tmp/gpg-bug$ dd if=/dev/urandom of=original-random-data bs=1651669 count=1
1+0 records in
1+0 records out
1651669 bytes (1.7 MB, 1.6 MiB) copied, 0.0126503 s, 131 MB/s

j@freedom:~/tmp/gpg-bug$ gpg --clearsign original-random-data

j@freedom:~/tmp/gpg-bug$ gpg -o verified original-random-data.asc
gpg: Signature made Fri 29 Sep 2017 03:12:51 PM PDT using DSA key ID 145A85DB
gpg: Good signature from "adsfg (asdfg) <foo@example.com>"
j@freedom:~/tmp/gpg-bug$ ll
total 4856
drwxrwxr-x 2 j j 4096 Sep 29 15:12 ./
drwxrwxr-x 3 j j 4096 Sep 29 15:04 ../
-rw-rw-r-- 1 j j 1651669 Sep 29 15:12 original-random-data
-rw-rw-r-- 1 j j 1651988 Sep 29 15:12 original-random-data.asc
-rw-rw-r-- 1 j j 1651586 Sep 29 15:12 verified

(Note verified is smaller than original-random-data)

Details

Version: 1.4.20 (ubuntu package 1.4.20-1ubuntu3.1 amd64)

Event Timeline

jholt created this task.Sep 30 2017, 12:20 AM

--clearsign is for text only and canonizes the the signed text to make it robust against different line-endings and white space changes. Thus this is no bug. To get a bit identical copy you may not use --clearsign or --text-mode but use standard signing,

Verified plaintext does not match original plaintextClosed, InvalidPublicActions

Description

Details

Event Timeline

Verified plaintext does not match original plaintext
Closed, InvalidPublic
Actions