Mailing List Archive: detached signature, "can't hash datafile: No data"

detached signature, "can't hash datafile: No data"

Dec 31, 2021, 6:18 PM

Post #1 of 4 (438 views)

Hello,

I wanted to verify an install file so I downloaded file.dmg and the
accompanying detached signature.asc. The public key was imported and
verified. Using GnuPG, I used the command:
gpg --verify signature.asc file.dmg

and..

"Good signature from..."

However, when I try to verify signature.asc independently using the command:
gpg --verify signature.asc

it states:
gpg: no signed data
gpg: can't hash datafile: No data

Shouldn't I be able to verify the signature independently?

S.B.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: detached signature, "can't hash datafile: No data" [ In reply to ]

gnupg-users at gnupg

Dec 31, 2021, 8:12 PM

Post #2 of 4 (438 views)

Permalink

> Shouldn't I be able to verify the signature independently?

Why?

A signature is a piece of data that attests another piece of data is
unchanged. If it doesn't have a second piece of data to compare to, all
it can say is "I have a good digital signature that attests to a hash
value of XYZ for some piece of data, but, uh ... where's the data?"

Detached signatures (clearsign signatures being one kind of them) do not
include the original data. You can sign gigabytes of data and the
detached signature will still be only a few hundred bytes in size,
because the original data isn't there.

Re: detached signature, "can't hash datafile: No data" [ In reply to ]

gnupg-users at gnupg

Jan 1, 2022, 11:01 AM

Post #3 of 4 (438 views)

Permalink

On 12/31/21 23:12, Robert J. Hansen via Gnupg-users wrote:

>> Shouldn't I be able to verify the signature independently?
>
> Why?
>
> A signature is a piece of data that attests another piece of data is
> unchanged. If it doesn't have a second piece of data to compare to,
> all it can say is "I have a good digital signature that attests to a
> hash value of XYZ for some piece of data, but, uh ... where's the data?"
>

Makes sense. I see my mistake. I was practicing on my own created
signatures on my own files. So I was able to verify my own .sig because..

gpg: assuming signed data in '/Users/samibadri/desktop/cryptcommands.txt'
gpg: Signature made Sat Jan 1 13:06:36 2022 EST
gpg: using RSA key 5CD9A3BC1577A0FDB8B11CD02DE90FECE5438DA0
gpg: Good signature from "SamiB (pgp key pair #1)
<sami.badri@gmail.com>" [ultimate]

> Detached signatures (clearsign signatures being one kind of them) do
> not include the original data. You can sign gigabytes of data and the
> detached signature will still be only a few hundred bytes in size,
> because the original data isn't there.
>
I would've thought that a clearsign signature preserves the data above
the pgp signature, in plaintext. Isn't the plaintext above the
signature the original data?

S.B.

Re: detached signature, "can't hash datafile: No data" [ In reply to ]

gnupg-users at gnupg

Jan 1, 2022, 11:02 AM

Post #4 of 4 (438 views)

Permalink

> I would've thought that a clearsign signature preserves the data
above the pgp signature, in plaintext. Isn't the plaintext above the
signature the original data?

In that case, it is. I spoke inartfully: I meant to say that detached
signatures can be done in either a binary format or in ASCII-printable.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: