Hi veedal, On Thu, 01 Nov 2018 15:20:33 -0400, vedaal via Gnupg-users wrote: > Am Donnerstag, den 01.11.2018, 17:42 +0100 schrieb Stefan Claas: > > On Thu, 01 Nov 2018 16:09:56 +0100, Dirk Gottschalk wrote: > > .... > > > That is the reason why i like to sign the .pdf, containing my key > > data, with a qualified eIDAS conform signature. The detached GnuPG > > sig should be an additional info, that matches the key data in the > > document. > > ===== > > This will work well in that if the signature verifies, then the > information in the .pdf can be considered reliable. > > It is, however, very easy for a MITM attack to 'break' the signature > by very subtly altering the pdf. > > > Try this: > > [1] Take your finished pdf and select all the text and copy it into a > new Libre Office document. > > [2] At the end of your text, just add a period. > > [3] Use Libre Office's font coloring to change the color of the added > period to white. > > [4] Export this new document as a pdf with the same file name as your > original pdf, and the same metadata. > > [5] The pdf looks exactly the same, but the signature will no longer > verify. > > > I don't trust a detached, signed pdf > (Again, I do, if it verifies, but am not sure if it doesn't verify). > > A simple, but slightly tedious workaround, would be to GnuPG Armor > Sign the .pdf > > The elDAS signature will still work, but the Armored Signed message > is much harder to alter, and such alteration is detectable as > malicious rather than a 'mistake.
Thank you very much for this valuable information, much appreciated! It is now a bit late, but i will try this out tomorrow. > Also, > If you are planning to post your public keyblock in this pdf, please > be aware that pdf treats a line return as empty whitespace, so when > trying to import the key, GnuPG does not recognize the empty > whitespace, and reads the version line as continuous with the > keyblock, and it won't import. The idea was to only publish the key data from an output like gpg --check-sigs, which should give a user enough data. Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas
pgpt9SBKQdNCS.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
