Page MenuHome GnuPG
Create Task
Maniphest T5367

PDF signed with --clearsign has image distorted.
Closed, ResolvedPublic
Actions

Description

Signing a PDF file containing an image causes distortion to the image (using --clearsign).

gpg --clearsign --output='dices - signed with gpg.pdf' 'dices - unsigned.pdf'

dices - signed with gpg.pdf362 KBDownload

File signed with distorted image.

dices - unsigned.pdf362 KBDownload

Original file, unsigned and undistorted.


PNG used to create the unsigned file. Comes from Wikimedia, so it is ok to distribute.

blank - unsigned.pdf1 KBDownload

Blank PDF used to add the image dices.png to.

Details

Version
gpg (GnuPG) 2.2.19, libgcrypt 1.8.5

Event Timeline

deragon created this task.Mar 26 2021, 6:47 PM
deragon updated the task description. (Show Details)Mar 26 2021, 6:53 PM
deragon updated the task description. (Show Details)
deragon updated the task description. (Show Details)Mar 26 2021, 7:08 PM
deragon updated the task description. (Show Details)Mar 26 2021, 7:10 PM
werner edited projects, added FAQ, Not A Bug; removed Bug Report.Mar 27 2021, 11:29 AM
werner added a subscriber: werner.

--clearsign may only be used for plain text documents due to line ending conversion etc.

werner closed this task as Resolved.Mar 27 2021, 11:29 AM
werner claimed this task.
Angel added a subscriber: Angel.Apr 12 2021, 2:40 AM

The surprising thing is that it works at all. I wouldn't be surprised if certain would simply reject it as "not a pdf" given that the "%PDF-1.x" marker isn't at the beginning.

PDF is a "text-based format" which then includes binary contents (e.g. compressed blocks) and uses byte offsets (so not really text).

For this specific file you could get away with the non-standard --not-dash-escaped option, as the issue on this is caused by 0a 2d being escaped into 0a 2d 20 2d:

gpg --clearsign --not-dash-escaped --output='dices - signed with gpg not dash escaped.pdf' 'dices - unsigned.pdf'

Even if you only used gpg to validate it, so that you can use --not-dash-escaped, certain pdf contents could confuse it, though. If you want to keep the signed pdf readable without gpg, the real solution would be to use a detached signature.

dices - signed with gpg not dash escaped.pdf362 KBDownload