On Wed, Aug 17, 2005 at 11:49:43AM +0200, Olaf Gellert wrote: > Hi all, > > I tried to verify the detached signature for a file > using GPG 1.4.0 (on SuSE 9.3). GPG told me that it was > a bad signature: > > > gpg --verify libprelude-0.9.0-rc11.tar.gz.sig > > Output: > gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3 > gpg: BAD signature from "Prelude Hybrid IDS Archives Verification Key > <[EMAIL PROTECTED]>" > > Well, right now I installed GPG 1.4.2 and the signature > is validated successfully: > > > gpg --verify libprelude-0.9.0-rc11.tar.gz.sig > gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3 > gpg: Good signature from "Prelude Hybrid IDS Archives Verification Key > <[EMAIL PROTECTED]>" > > Some bug that was fixed recently? This is a little > bit weird... The files were: > > http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz > http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz.sig > > and they were transferred correctly (otherwise gpg 1.4.2 should > fail to validate the signature, too). Could this be related to > the signature being a "textmode" signature (on a binary file)?
Yes, that is what is wrong. There is a very long explanation about text canonicalization which explains why it works in 1.4.2 but not in 1.4.0, but the bottom line is that if the file is binary, it needs a binary sig or it just won't work reliably. (I've been trying to persuade the spamassassin release people of this for a while now). I can guarantee it will break between different versions of GnuPG, and I can guarantee it will break between different versions of GnuPG and PGP. David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
