Fabio Coatti <cova@felix.unife.it> writes:
> I'll try to build one. Actually the one I have is a message encrypted
> for me and it requires my secret key for exploiting.
Please yes. It is much easier for me to fix a bug when I have a good
testcases.
> I also think that there is a problem with dash-escaping (CVS 13/01/98,
> not the latest): If I export an ascii-armored pub key and then I
> sign the file (for example, I've exported a key, added some comments
> in the same file and then signed the file), gpg can check the
> signature but is unable to import the key.
I don't think so. The clearsigned text with the public key signs the
key and has to dash-escape the armor lines of the keyblock - therefore
gpg does not know that there is a keyblock inside the message.
There is no need to sign a keyblock. If you want to import the
keyblock you have to run gpg twice. I know this problem and I
considered to add some special code to handle this - It is not good to
do so as this is only one case and there are thausends of other
possiblities how OpenPGP messages might me nested.
Suggestion: Attach the keyblock to the mail and sign only your
comment (using MIME of course).
[Thomas?:]
BTW, for what does MIME need the MIC algorithm? Is it expected that
a mailer calculates the hash and passes this to the signature
verification program - should GnuPG have a option to do so?
Werner
> I'll try to build one. Actually the one I have is a message encrypted
> for me and it requires my secret key for exploiting.
Please yes. It is much easier for me to fix a bug when I have a good
testcases.
> I also think that there is a problem with dash-escaping (CVS 13/01/98,
> not the latest): If I export an ascii-armored pub key and then I
> sign the file (for example, I've exported a key, added some comments
> in the same file and then signed the file), gpg can check the
> signature but is unable to import the key.
I don't think so. The clearsigned text with the public key signs the
key and has to dash-escape the armor lines of the keyblock - therefore
gpg does not know that there is a keyblock inside the message.
There is no need to sign a keyblock. If you want to import the
keyblock you have to run gpg twice. I know this problem and I
considered to add some special code to handle this - It is not good to
do so as this is only one case and there are thausends of other
possiblities how OpenPGP messages might me nested.
Suggestion: Attach the keyblock to the mail and sign only your
comment (using MIME of course).
[Thomas?:]
BTW, for what does MIME need the MIC algorithm? Is it expected that
a mailer calculates the hash and passes this to the signature
verification program - should GnuPG have a option to do so?
Werner