On 1/12/2015 at 1:50 PM, "Patrick Schleizer" <patrick-mailingli...@whonix.org> wrote:
>> gpg --verify --output OUT SIGNEDDATA ----- >gpg --output ./out --verify ./sha512sums.asc > >When it exits 0, then this approach is sound, sane and fine? ----- There is a way of addition to clearsigned messages that is not detectable: Adding 'spaces' at the end of the line of visible characters. Here is a clearsigned message without any spaces added: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This Is Just a Test -----BEGIN PGP SIGNATURE----- Comment: Fingerprint: C982 4216 3053 B6F3 62F2 7DC0 506F 4FA1 D35F B186 Comment: Key ID: 0xD35FB186 Comment: nothing added to cleartext iQIcBAEBCAAGBQJUtCfmAAoJEFBvT6HTX7GGJlUP+QGHkTWBRvXUsfsVi5QyqJji WKt5KkJIu+cv5dKVwJuWHVnhlCrdpqvVToofgk+oVJQp2KrnkesxkdwbPi87oJO9 nSc/4BCQedvYqa9nZ54YPGdRse9yttfzpwLtlbCWPqaMHN5trOwmBervAEW7GhCR kmUeM7ZlPAj9QUVS8TKzWXlMu63YpYwrRGt1EXevbTaMcUWOOG9+azQy5nYw04oq yuDDhdzV6MqL6bgxcnH4Psw5ykB59nlAEHjAeTVAObR6SzkSrOUhAL6velZcIJXq kVLvKustBhTQ12JVL52S7Y+CMKQPE8SA2apvbhALV9RjnQK6jG99oradSFpQtlfh PnM2ENRWZXi1D1BO5PJft4JzsMh2v6WqaiYJy5rmrJbbZyoo0vBqfizon1Mx2rtc YmIOw7bvClV4oG/zOlC0aeI0QNKPGcESWWV5THEPVBGOx9edVcuzADJMJGbbIC/0 Ufs4lngy4zrKlLSWqwKM6MoYyXiRHsHaUCcGbXVGnbSspnUbEybDAPskBcqVp+DC VH5NxDmQQEWUdTQEyiSmygXpa9GojX3KCFkF85Ohh3SUZ3O88ila+zpbDpfrXkJL D2w6dyIqKghQuM9hivMYUNdLTYmWHNgDSbFyCcZuhzAbPCRx3tjle+BRSMKT3V6X y0ofhIQ+3QeZzkHWkL+R =M/in -----END PGP SIGNATURE----- It is possible to add blank spaces to the end of the visible characters on each line, as long as it doesn't result in a new line wrap, and the signature will still verify. Don't know of any practical exploits of this property, other than possibly intentionally padding the files to use up someone's storage, (not likely in today's large storage capacity ;-) ) It could be useful if a sender and receiver would agree on a special code as to the padding, i.e. if someone is being forced to sign something, the sender and receiver could agree that adding the following spaces to each line for 4 lines: 7 7 2 4 would signify the hidden message: signing against my will (but this could also easily be forged by anyone who knew the system ...) Anyway, just a curiosity of which users should be aware. Absolutely *no* suggestions/requests to change GnuPG in any way (which wouldn't be backward compatible anyway) Armored signing, or a detached signature of a text file, *will* detect any spaces added on to a line. vedaal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users