On Wed, Aug 17, 2005 at 11:49:43AM +0200, Olaf Gellert wrote:
Hi all,
I tried to verify the detached signature for a file
using GPG 1.4.0 (on SuSE 9.3). GPG told me that it was
a bad signature:
gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
Output:
gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
gpg: BAD signature from Prelude Hybrid IDS Archives Verification Key
[EMAIL PROTECTED]
Well, right now I installed GPG 1.4.2 and the signature
is validated successfully:
gpg --verify libprelude-0.9.0-rc11.tar.gz.sig
gpg: Signature made Mon 01 Aug 2005 11:29:02 PM CEST using RSA key ID 23D2FAC3
gpg: Good signature from Prelude Hybrid IDS Archives Verification Key
[EMAIL PROTECTED]
Some bug that was fixed recently? This is a little
bit weird... The files were:
http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz
http://www.prelude-ids.org/download/releases/libprelude-0.9.0-rc11.tar.gz.sig
and they were transferred correctly (otherwise gpg 1.4.2 should
fail to validate the signature, too). Could this be related to
the signature being a textmode signature (on a binary file)?
Yes, that is what is wrong. There is a very long explanation about
text canonicalization which explains why it works in 1.4.2 but not in
1.4.0, but the bottom line is that if the file is binary, it needs a
binary sig or it just won't work reliably. (I've been trying to
persuade the spamassassin release people of this for a while now).
I can guarantee it will break between different versions of GnuPG, and
I can guarantee it will break between different versions of GnuPG and
PGP.
David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
