On Thursday 28 August 2014 22:53:52 TJ wrote: > I've recently been digging deep into the source-code trying to > understand what the differences are between --clearsign and > --detach-sign signatures.
The RFC is probably much easier to read than the source code: http://tools.ietf.org/html/rfc4880 > This came about whilst writing code that calls on "gpg --verify" on > detached signatures; specifically Debian APT archives that contain > "Release" (plaintext) and "Release.gpg" (detached signature). > > The aim/hope was to combine the plaintext and detached signature into > the armored clearsign format and thus avoid needing to write one of > them to the file-system (the other can be supplied via stdin). > > I had thought that the message digest hash (in this case SHA512) > should be the same since the input data is the same which-ever > signing method is used. This didn't work as I had expected so I have > been digging into the source-code to figure out what is different > between the two signing methods. In general the message digest hashes will differ. The reason for this is a different canonicalization of the signed text (provided the detached signature is a text document signature; if it's a binary document signature no canonicalization is applied). A main difference is the stripping of trailing whitespace in the text (which is done for cleartext signatures but not for text document signature). For details see http://tools.ietf.org/html/rfc4880#section-5.2.4 and http://tools.ietf.org/html/rfc4880#section-7 Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
