Skip Menu |

This queue is for tickets about the GnuPG CPAN distribution.

Report information
The Basics
Id: 67333
Status: new
Priority: 0/
Queue: GnuPG
People
Owner: Nobody in particular
Requestors: ph2010 [...] hcidata.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Apr 08 10:43:26 2011 ph2010 [...] hcidata.com - Ticket created
Subject: GnuPG is not picking up a warning that implies a signed message has been tampered with
Date: Fri, 08 Apr 2011 15:43:15 +0100
To: bug-GnuPG [...] rt.cpan.org
From: "Phil Hobson" <ph2010 [...] hcidata.com>
Gnupg (0.09 and 0.17) is not picking up a warning message from gpg that indicates the message has been tampered with. By ignoring the gpg warning message, it gives the indication that the message has been correctly signed. Below is a signed message with line 3 having been tampered with. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This line has been tampered with. Thanks for taking the time to report a bug in GnuPG. You should be aware that each and every module available through CPAN is free software and that its author is a volunteer. Because of this, there's no guarantee that your issue will be dealt with immediately. There are a few things you can do to help make sure that your issue gets the attention it deserves: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk2fHocACgkQQzjPXahjYnpv7gCeOcSOA3fTD/ZJCgak783Uqksy i6wAn29d5J5uhUgPpV5g3S/47lQIB3cx =eUvt -----END PGP SIGNATURE----- When the above signed message is verified by "gpg --verify ...." the messages are: gpg: invalid armor header: This line has been tampered with.\r\n gpg: Signature made Fri 08 Apr 2011 13:54:53 BST using DSA key ID A863627A gpg: Good signature from "Phil Hobson (Councillor) So, a geek would know that the line "This line has been tampered with.\r\n" was not part of the signed message. However, when using GnuPG there is no indication that someone has inserted a line in the armor header. Thus, (to a non-geek) the inserted line appears to be part of the signed message. I have the same problem with Debian package libgnupg-perl 0.09 and GnuPG.pm 0.17. Perl is v5.10.0 built for i486-linux-gnu-thread-multi Operating System is Linux 2.6.26-2-686 #1 SMP Mon Aug 30 07:01:57 UTC 2010 i686 GNU/Linux Best regards, Phil Hobson Technical Director -- All quotes are subject to our terms and conditions which can be obtained from http://www.hcidata.com/terms-and-conditions HCI Data Limited +44 1959 533 551 Registered in England number 3518621 Registered Office: 34 The Hopstore, 19 Bourne Road, BEXLEY,DA5 1LR