I wrote: > I've attached an exemplary signature file (named gnupg-2.1.0.tar.bz2.sig > for your convenience) that demonstrates the problem:
Addendum: I noticed that GnuPG releases and git tags are signed with the
same key. Abusing the latter, I'm able to generate far smaller signature
files. The date is now also correct (although the time is still off):
> $ echo evil stuff > gnupg-2.1.0.tar.bz2
> $ gpg2 --verify gnupg-2.1.0.tar.bz2.sig
> gpg: Signature made Wed Nov 5 15:30:17 2014 CET using RSA key ID 4F25E3B6
> gpg: Good signature from "Werner Koch (dist sig)" [full]
As the generated signature file was even smaller than the original one,
I padded it to full length with a private/experimental packet (tag 60):
> $ wc -c gnupg-2.1.0.tar.bz2.sig{,.orig}
> 861 gnupg-2.1.0.tar.bz2.sig
> 861 gnupg-2.1.0.tar.bz2.sig.orig
--
Simon Nicolussi <si...@sinic.name>
http{s,}://{www.,}sinic.name/
gnupg-2.1.0.tar.bz2.sig
Description: Binary data
pgpcHWKEss1cn.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
