wu-ftpd-2.6.2 fails GPG & PGP2 signature verifications, passes PGP6!
Werner Koch
wk at gnupg.org
Sat Dec 1 09:28:17 EST 2001
On Sat, 01 Dec 2001 03:14:11 -0800, Hugh Daniel said:
> file signature validations should NOT be failing across different
> versions of the horrid PGP/GPG/OpenPGP mess.
I don't know what you mean by this mess. PGP >= 5 is simply not
OpenPGP compliant, even the 7.x versions seem to have a lot of
problems.
> against it's own signature with either GPG nor PGP2. This is VERY bad,
> as you should have tested this before posting the .gs/.asc files, or
I remember a bug report for one of the last releases of wu-ftp where
the signature was also not valid. The problem that time was that the
signature was created in textmode which wrong. textmode should only
be used on human readable textfiles to cope with trailing whitespace
and line-ending issues. There are many bugs in the way textmode is
treated - it even differs between the PGP 2.x versions; see rfc3156
for the ways which should be taken to overcome these problems.
You may want to do a
gpg --list-packets sigfile
to see how the message is actually composed and to track the problem
further down,
gpg --debug 1024 foo.sig foo
should be of great help, because it dumps the data which gets hashed
to some file. The source of pgp 6.5.8 is available and you may want
to add similar debugging stuff - I am pretty sure that they hash
different things.
Ciao,
Werner
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list