Re: Difference between clearsign and detached signatures?
On 29/08/14 19:03, Ingo Klöcker wrote: On Thursday 28 August 2014 22:53:52 TJ wrote: I've recently been digging deep into the source-code trying to understand what the differences are between --clearsign and --detach-sign signatures. The RFC is probably much easier to read than the source code: http://tools.ietf.org/html/rfc4880 The RFC was fine but, for me, the code is authoritative especially when I suspect implementation differences. I had thought that the message digest hash (in this case SHA512) should be the same since the input data is the same which-ever signing method is used. This didn't work as I had expected so I have been digging into the source-code to figure out what is different between the two signing methods. In general the message digest hashes will differ. The reason for this is a different canonicalization of the signed text (provided the detached signature is a text document signature; if it's a binary document signature no canonicalization is applied). A main difference is the stripping of trailing whitespace in the text (which is done for cleartext signatures but not for text document signature). Yes, I worked on that one too, checking that there was no white-space at end of lines: egrep '[\t ]$' Release | wc -l 0 I also tried replacing with as per 5.2.1. and "Signature of a canonical text document". gpg --verify <(echo -e "-BEGIN PGP SIGNED MESSAGE-\nHash: SHA512\n\n$(sed ':a;N;$!ba;s/\n/\r\n/g' Release)\n$(cat Release.asc.gpg)") # gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89 # gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) " gpg --verify <(echo -e "-BEGIN PGP SIGNED MESSAGE-\nHash: SHA512\n\n$(sed ':a;N;$!ba;s/\n/\r\n/g' Release)\n$(cat Release.Test.detached.gpg)") # gpg: Signature made Thu 28 Aug 2014 19:29:37 BST using RSA key ID 3591FB89 # gpg: BAD signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) " Looking at the code the signing path is either of: g10/sign.c::sign_file() g10/clearsign_file() For sign_file() text_filter() and md_filter() are added to the input iobuf filter list. For clearsign_file() copy_clearsig_text() is called, which in turn uses len_without_trailing_chars() to copy the line excluding trailing whitespace from plaintext input to clearsign output. For verify_signatures() and verify_files() (via verify_one_file()), armor_filter() is pushed onto the iobuf filter list then proc_signature_packets() is called, which calls do_proc_packets() which, during IOBUFCTRL_UNDERFLOW calls radix64_read() which skips whitespace characters. This being the case I cannot see any opportunity for the plaintext that is the subject of the message digest hashing to be different, which suggests that something else is added to the hashed value when generating a detached signature. gpg --verify Release.asc # gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89 # gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) " gpg --verify Release.Test.detached.gpg Release # gpg: Signature made Thu 28 Aug 2014 19:29:37 BST using RSA key ID 3591FB89 # gpg: Good signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) " gpg --verify Release.asc.gpg Release # gpg: Signature made Thu 28 Aug 2014 18:32:06 BST using RSA key ID 3591FB89 # gpg: BAD signature from "Test Key (gnupg 1.4.16 Ubuntu 14.04 amd64) " ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Difference between clearsign and detached signatures?
On Thursday 28 August 2014 22:53:52 TJ wrote: > I've recently been digging deep into the source-code trying to > understand what the differences are between --clearsign and > --detach-sign signatures. The RFC is probably much easier to read than the source code: http://tools.ietf.org/html/rfc4880 > This came about whilst writing code that calls on "gpg --verify" on > detached signatures; specifically Debian APT archives that contain > "Release" (plaintext) and "Release.gpg" (detached signature). > > The aim/hope was to combine the plaintext and detached signature into > the armored clearsign format and thus avoid needing to write one of > them to the file-system (the other can be supplied via stdin). > > I had thought that the message digest hash (in this case SHA512) > should be the same since the input data is the same which-ever > signing method is used. This didn't work as I had expected so I have > been digging into the source-code to figure out what is different > between the two signing methods. In general the message digest hashes will differ. The reason for this is a different canonicalization of the signed text (provided the detached signature is a text document signature; if it's a binary document signature no canonicalization is applied). A main difference is the stripping of trailing whitespace in the text (which is done for cleartext signatures but not for text document signature). For details see http://tools.ietf.org/html/rfc4880#section-5.2.4 and http://tools.ietf.org/html/rfc4880#section-7 Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
>> On 23/08/2014 11:16, d...@geer.org wrote: > actually you chose to step out of the front door today i assume ? > you took the bus to work or maybe you drove ? > i don't know, maybe a tractors more your thing, but you took it to the > gas station and filled 'er up > or you got breakfast at the deli before your meeting ? I think you are conflating separate things with questions like these. See Mark H Wood's comment above: "It was never possible to live in perfect anonymity. You can't participate in society and be invisible to it at the same time. One has to accept being known, to some extent. So, secrecy is only one part of privacy.[...]" > how many times were you photographed by the big bad social network > before your first coffee break? What "big bad social network"? First define what you mean by "social network" in this context. My earlier comment was, as I stated, primarily context of "social networks and other media". You seem to mean something something different by "the big bad social network". > how can you as an individual be in control of this ? I choose where I go and what I do, both online (which was the main context of my earlier comment) and in the physical world. Whilst, as Mark Wood says above, some involvement in society inevitably involves sharing some information about oneself (and always has done), one can nevertheless to a massive extent choose how much one shares, what one says, and what one does. One does not need to blab everything to everyone. > do you honestly believe you're in control of what information you > share? To a very considerable extent, yes. It is a self-evident reality (although what I choose to share versus what I need to share varies on the specific context). I have not given way all control over my mind, body and actions. > no prob, phone[sic] up FB or dr G and have a word to the secretary: > > "yes sir, we just had a looksy & can confirm all your bits are 100% > accounted for, your datas are currently residing on 3,521 servers in > 59> countries and if you like, we can press this red button and have > it all removed straight away sir, no lawyer required, no warrant, no > questions asked and a 100% satisfaction guarantee - this weeks > promotion also includes free removal of your NSA vacuum trail, we can > delete that too with the same red button because your data that we > were forced to share can be accounted for exactly sir, we know where > it went because we take pride in knowing we serve our customers best > interests..." What data on FB? Whilst, as Jason Anthony pointed out, other people can post information about me to social networks such as FB, data leakage by third parties is not a new risk (as MFPA observed). Apart from such data leakage, FB or other social networks only know about me what I choose to tell them. As I say, I do not need to blab to the world about everything. I *am* in practice in control of what I say and do and where I say and do it. > which privacy policy thesis have you read cover-to-cover ? > have you read it each time it was updated ? > did you prepare yourself for opt-out changes ? Perhaps it is more sensible to control what one shares in the first place. > which CV of yours have you parted ways with to prospective employers > is equipped with nice little java scripts phoning home to your > elaborately setup web server all-the-while alerting you to all those, > whose pdf reader allows outgoing comms, who open your file ? > > where is your CV from 15 years ago - you know precisely how many > people have read it don't you ? What point are you trying to prove here? Releasing a CV is still a controlled act, even though you don't necessarily know where it is going to get to. It is all a matter of choice. What you include is under your control. > are kids confident that they know their snapchats will be deleted just > like they were promised ? As I say, the better, wiser option would be to not post in the first place. > where are these snap chats now - do they know lest do they care ? Wise people do care. Wiser people were always careful what they said on third party provided services. > if you truly wanna be in control of your data, your gonna have to > regulate and restrain yourself until your testicles are drawn over the > back of your neck *or* accept it aint possible now, it may never be, > and when you accept that you'll keep out of the loony bin & fruit > cake parlour I think you are looking at the whole situation through defeatist's eyes. :-) -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 29/08/2014 09:29, Samir Nassar wrote: > It is safe to say this thread has moved way off topic from being about using > gnupg. > > Samir Yes. My apologies for my part in taking it off-topic. -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
(This did not seem to reach the list previously. Apologies if you've seen it twice.) On 27/08/2014 15:54, shm...@riseup.net wrote: > actually you chose to step out of the front door today i assume ? > you took the bus to work or maybe you drove ? > i don't know, maybe a tractors more your thing, but you took it to the > gas station and filled 'er up > or you got breakfast at the deli before your meeting ? I think you are conflating separate things with questions like these. See Mark H Wood's comment above: "It was never possible to live in perfect anonymity. You can't participate in society and be invisible to it at the same time. One has to accept being known, to some extent. So, secrecy is only one part of privacy.[...]" > how many times were you photographed by the big bad social network > before your first coffee break? What "big bad social network"? First define what you mean by "social network" in this context. My earlier comment was, as I stated, primarily context of "social networks and other media". You seem to mean something something different by "the big bad social network". > how can you as an individual be in control of this ? I choose where I go and what I do, both online (which was the main context of my earlier comment) and in the physical world. Whilst, as Mark Wood says above, some involvement in society inevitably involves sharing some information about oneself (and always has done), one can nevertheless to a massive extent choose how much one shares, what one says, and what one does. One does not need to blab everything to everyone. > do you honestly believe you're in control of what information you > share? To a very considerable extent, yes. It is a self-evident reality (although what I choose to share versus what I need to share varies on the specific context). I have not given way all control over my mind, body and actions. > no prob, phone[sic] up FB or dr G and have a word to the secretary: > > "yes sir, we just had a looksy & can confirm all your bits are 100% > accounted for, your datas are currently residing on 3,521 servers in > 59> countries and if you like, we can press this red button and have > it all removed straight away sir, no lawyer required, no warrant, no > questions asked and a 100% satisfaction guarantee - this weeks > promotion also includes free removal of your NSA vacuum trail, we can > delete that too with the same red button because your data that we > were forced to share can be accounted for exactly sir, we know where > it went because we take pride in knowing we serve our customers best > interests..." What data on FB? Whilst, as Jason Anthony pointed out, other people can post information about me to social networks such as FB, data leakage by third parties is not a new risk (as MFPA observed). Apart from such data leakage, FB or other social networks only know about me what I choose to tell them. As I say, I do not need to blab to the world about everything. I *am* in practice in control of what I say and do and where I say and do it. > which privacy policy thesis have you read cover-to-cover ? > have you read it each time it was updated ? > did you prepare yourself for opt-out changes ? Perhaps it is more sensible to control what one shares in the first place. > which CV of yours have you parted ways with to prospective employers > is equipped with nice little java scripts phoning home to your > elaborately setup web server all-the-while alerting you to all those, > whose pdf reader allows outgoing comms, who open your file ? > > where is your CV from 15 years ago - you know precisely how many > people have read it don't you ? What point are you trying to prove here? Releasing a CV is still a controlled act, even though you don't necessarily know where it is going to get to. It is all a matter of choice. What you include is under your control. > are kids confident that they know their snapchats will be deleted just > like they were promised ? As I say, the better, wiser option would be to not post in the first place. > where are these snap chats now - do they know lest do they care ? Wise people do care. Wiser people were always careful what they said on third party provided services. > if you truly wanna be in control of your data, your gonna have to > regulate and restrain yourself until your testicles are drawn over the > back of your neck *or* accept it aint possible now, it may never be, > and when you accept that you'll keep out of the loony bin & fruit > cake parlour I think you are looking at the whole situation through defeatist's eyes. :-) -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 27/08/2014 17:15, Robert J. Hansen wrote: > Figure out what > *precisely* you're concerned with, and start talking about that -- but > "privacy" as a word has become so vague it's almost useless. If we > can't describe precisely what we're afraid of losing, we're going to > lose it and we won't even be able to accurately tell people what we've lost. This is a key point. The words "privacy" and "liberty" are too vague to be useful for this purpose. The big problem is that what we are losing is not easily amenable to rational explanation. It exists, it is real, it matters, and yet it is difficult to explain in intellectually precise terms. This lack of precision plays into the hands of those who desire to remove such liberties. Can anyone describe in clear, intellectually persuasive terms, why liberty (and privacy is a subsection of liberty) matters? No one should have to explain such things and yet that is what is now required. > The second is a more general observation: authority tends to behave best > when it's forced to submit to oversight. Corporations behave best when > they're forced to answer to public shareholder meetings where anyone > with a single share to their name can demand answers -- and if they > don't get them, there's hell to pay. Politicians behave best when > there's a free press following them around and asking them rude > questions. Terrorists wear masks not to hide from the authorities, but > to hide from their own communities -- social oversight would make their > job impossible. Unfortunately, oversight only works when those in > charge take it seriously. We as a society would rather watch reality > television than television about reality: we'd rather watch _Big > Brother_ than C-SPAN hearings about whether government has become Big > Brother. Well observed. > The third is that those who *do* care, tend to care in deeply broken > ways. I can't tell you how many times I've run into self-styled privacy > advocates here in the U.S. who are furious over how the U.S. has been > reading their email. The only problem is there's very little evidence > of that occurring. Reading email metadata, maybe, but not email > content. When I try to explain that to them I usually find myself > wondering inside of two minutes why I ever bothered trying to bring fact > and reason to what is fundamentally an argument from passion and > emotion. I have had people literally yell in my face over the > metadata-versus-content distinction. When the front line of advocacy > appears to be detached from reality in one way, and the body politic is > detached from reality in another (reality television), well... how does > one fix this? Surely the metadata versus data argument is something of a red herring. Whilst there are clear technical differences between metadata and data/content, the fact is that when the powers that be read my communications metadata without warrant and at will (something that I never gave them permission to look at), it is no less an invasion of my privacy than if they read the data/contents. The nature of communications metadata is that it can tell people who look at it a great deal about a person, information that may well be private in nature. Warrantless snooping in metadata is too much. I am also aware that there are longstanding legal definitions that treat metadata differently to content. Well, legal niceties be damned. Technical (and legal) differences between metadata and data/content notwithstanding, the reality is that when my communications metadata is snooped on without warrant and without my permission then it is an invasion of privacy, one that is indistinguishable in seriousness (both morally and practically, in terms of what can be inferred from metadata) from snooping on data/content itself. (For those who are about to point out that we willingly share communications metadata with service providers to allow for routing our communications to the right place, this is done intentionally and for the purposes of routing only. It does not follow that such metadata should be available to anyone and everything; it is still private information that we should have every right to expect is shared only for the purposes of communications routing). > My reading of what Dan's said (I apologize, Dan, if I'm getting you > wrong) is that he sees no way to stop the technological assault. I > don't think that's quite true, though. If we were as a society to > suddenly say, "stop this, right now, let's establish some laws to > protect the essential core of privacy," we'd do it. It seems to me that a great many people believe that there is nothing that can be done. They truly seem to think that the only thing to do is to give in and throw away all aspects of personal information/travel/communications privacy (whatever precise meanings "privacy" has in this context). It's a defeatist attitude and I think it's playing into the enemy's hands. > Now I'm waving my arm
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
It is safe to say this thread has moved way off topic from being about using gnupg. Samir -- Samir Nassar sa...@samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 Public Key: https://samirnassar.com/files/key.asc signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 27/08/2014 11:46, d...@geer.org wrote: > I fully agree with you, which means that I see few ways to preserve > the liberty that privacy represents than to withdraw from much of > civil society while it shares ever more -- sharing ever more on the > "I've got nothing to hide" premise. Technology makes what is > observable by others daily grow wider; lip reading robots, electric > grids that know the noise signature of every device you own, smart > cameras on every street corner, MIT's "visual microphone," electronic > health records that are and must be shared amongst providers plus > the providers' paymasters, and on and on. That these are possible > is worrisome; that they are widely built into services which promise > "convenience" is the Pied Piper institutionalized. As I wrote > elsewhere(*), we are becoming a society of informants -- I have > nowhere to hide from you. I agree that information sharing, especially statutorily-imposed information collection and sharing, is a great threat to liberty. Fighting it is very difficult without fundamental reform of state structures. But this still does not mean that we need to share more than we want or need to where we have a choice, and we still do have lots of choices in this matter (especially in the context of my earlier message). -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 27/08/2014 11:16, Jason Antony wrote: > What can't be controlled is when people who know you give out your > personal details on social networks. > > It could happen because they may not see anything wrong with it, they > may be tricked into it [games/surveys], or they wish to harm you. This is true and it's a good point but, as MFPA points out, it's not a new threat in principle. I think the key point still remains that what one shares with the world is very much under one's practical control, if one only remembers it. Social interaction inevitably involves some extent of information sharing, and always has, but that doesn't mean that privacy (and all the nuanced concepts that are contained within that word) has somehow evaporated the first time you communicate with someone, or travel somewhere, etc. -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
