On 12/31/21 23:12, Robert J. Hansen via Gnupg-users wrote:
Shouldn't I be able to verify the signature independently?
Why?
A signature is a piece of data that attests another piece of data is
unchanged. If it doesn't have a second piece of data to compare to,
all it can say is "I have a good digital signature that attests to a
hash value of XYZ for some piece of data, but, uh ... where's the data?"
Makes sense. I see my mistake. I was practicing on my own created
signatures on my own files. So I was able to verify my own .sig because..
gpg: assuming signed data in '/Users/samibadri/desktop/cryptcommands.txt'
gpg: Signature made Sat Jan 1 13:06:36 2022 EST
gpg: using RSA key 5CD9A3BC1577A0FDB8B11CD02DE90FECE5438DA0
gpg: Good signature from "SamiB (pgp key pair #1)
<sami.ba...@gmail.com>" [ultimate]
Detached signatures (clearsign signatures being one kind of them) do
not include the original data. You can sign gigabytes of data and the
detached signature will still be only a few hundred bytes in size,
because the original data isn't there.
I would've thought that a clearsign signature preserves the data above
the pgp signature, in plaintext. Isn't the plaintext above the
signature the original data?
S.B.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
