My attempts to run the reproducer program have not been successful, as *none* of the signatures validate. Not even the known good case.
$ GOPATH=/usr/share/gocode/ go run sig_spoof.go Verifying not tampered... openpgp: invalid argument: no armored data found Verifying spoofed hash... openpgp: invalid argument: no armored data found Verifying spoofed cleartext... No clearsign text found I tried this on Debian stretch, buster, bullseye, and using the version of package downloaded using "go get golang.org/x/crypto/openpgp/clearsign" on bullseye (this doesn't work on stretch or buster due to certificate errors). I was wondering if there was an error in my copy of sig_spoof. I downloaded the source using: https://dl.packetstormsecurity.net/1905-exploits/SA-20190513-0.txt And deleted everything before and after the code, so I think it should be OK. Any ideas? -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
