On 08/12/2013 08:40 AM, Martin T wrote: > Hi, > > one can sign the message with "--clearsign" option which adds ASCII > armored(Radix-64 encoding) "PGP signature" at the end of the text. > This "PGP signature" contains the UID of the signer, timestamp and key > ID. However, two questions:
GnuPG does much more than just the Radix-64 encoding with the --clearsign: $ gpg --default-key MINE --output list.asc \ --clearsign list.txt By that I mean gpg/gpg2 doesn't just do a base64 conversion but also does other magic stuff. You can stop reading now. > 1) Where is the UID of the signer, timestamp of the signature and > signer key-ID stored? If I execute "gpg2 --verify file.asc", then I'm > able to see the UID of the signer, timestamp and signer key-ID, but if > I decode the Radix-64/base64 data back to binary(base64 -d) and use > "hexdump -C" to analyze this data, I do not see the UID, timestamp or > signer key-ID. The UID and other things are stored in the string which is usually more than one line long between the BEGIN PGP SIGNATURE and END PGP SIGNATURE. But I am puzzled how you did this part. If I copy the now clear signed list.txt to a justsig.txt file and edit out all but the hash I get a warning. Actually I get a warning no matter what content is in the justsig.txt file from the base file: $ base64 -d < justsig.asc > list.bin base64: invalid input The list.bin file has zero length unless you use nothing but the hash which is the normal way base64 works for email attachments. In any event, list.bin created with just the hash has no known file type that magic understands. e.g.: $ file list.bin list.bin: data $ ls -l list.bin 287 list.bin Like I said, if you use anything BUT just the hash, list.bin will contain nothing (zero bytes). But I will ALWAYS get the "invalid input" meaning it is something base64 does NOT understand. Is this what you did to get a non-zero length file via base64 -d from a --clearsign file? > 2) What exactly is this "PGP signature"? Is it a SHA1 hash of the > message which is encrypted with my private key and then ASCII armored? It uses the hash in the preferred order of what is associated with the key used and what the the version of OpenPGP you are using is capable of handling. That for me is SHA-256 since that is my first choice and my version of gpg can handle it. SHA1 is usually the default unless you set your preferences to something else since it is still difficult to do a brute attack on SHA1 (but it can be done): http://securemecca.com/public/GnuPG/GnuPG_Prefs.txt The hash is created based on the text as input using the private side of the key and then ASCII armored in such a way that when you verify it finds the appropriate public key based on the hash and does the other hash calculation of the text and see if it matches. In any event, the markers of --clearsign make it clear that only an OpenPGP compliant program can handle it. The MIME markines are used by email to determine what handles it since a --clearsign is what you need to make the signature something you can send in email but it can be used for other purposes. It is just that you can NOT send a non-ASCII signature directly in email without it being converted to ASCII first. There are other uses of -clearsign like when you what the signature and the file contents together. ------------------------------------------------------------ base64, the older uuencode and uudecode and similar programs do nothing more than convert a binary file like a zip file into ASCII text so the zip file can be sent as an email attachment. Send a message to yourself in email with a test.zip attachment. Save the entire message to a file (for Thunderbird you will have an *.eml file). Assuming the file was named test.eml and the attachment was test.zip: $ cp test.eml test.base64 Edit the test.base64 file so it has only the hashed material and note the zip name (assuming test.zip was what you attached and sent). Also note that it uses base64 as the type in the "Content-Transfer-Encoding:" if that is what your email used (it usually is). $ base64 -i -d < test.base64 > test,zip $ file test.zip test.zip: Zip archive data, at least v1.0 to extract $ unzip test.zip $ cat test.txt Hello World GnuPG does much more than just the Radix-64 binary to ASCII conversion and only gpg or gpg2 can handle it. Use base64 only if it is specified in the MIME markings (the latest malware from PeskySpammer here): Content-Type: application/zip; name="Tax Notices Report.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; name="Tax Notices Report.zip" Usually you won't need to use base64 and Thunderbird Evolution, or other mail programs will allow the saving of the file unless Microsoft Exchange munges it in a bounce to you. In that case, if base64 is specified as the Transfer Encoding type you can save the enter message to file. Then edit the file and strip off all the other stuff and get the file out of the hashed stuff even if your mail program can not do it. But base64 is unusable for a -clearsign or even a -a --detach-sign where you can more easily see it: Nest Paw? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
