Truncated lines in in cleartext signatures are not correctly verified by gpg and gpgv.
Description
Revisions and Commits
Related Objects
- Mentioned In
- T6303: Release GnuPG 2.4.0
Event Timeline
Actually I am not sure whether this is really a bug and that the fix is needed. What has been signed and verified is what gpg has seen and what --output has written. For example a line in the cleartext format may read "- From my " but what actually has been signed was "From my". If a line has been truncated --output will write only the truncated and thus verified data and not what was in the cleartext format.
Other programs might parse cleartext signatures too, and expect GnuPG’s parsing to conform to the spec. Such programs would be vulnerable to a forgery attack, so GnuPG’s behavior is a security problem.
You need to handle them in a correct way. Just checking with gpg is
not enough because you don't know what has been signed. You need to
look at the signed data which gpg gives you by using the --output
option. And there you see only the signed data and not the extra
"aaa" you added after having signed the plaintext. It is not
different from adding stuff before the -----BEGIN PGP SIGNED ... line.
We had the same discussion regarding PGP-2 and Mutt more than 25 years
ago.
I'' keep the change in 2.3 just to stop discussions - it is not a fix
because too many ppl will no use tools in a proper way; regardless
of this change.