OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: GPG 1.0.3 doesn't detect modifications to files with multiple signatures
From: Jim Small (cavenewtMY-DEJA.COM)
Date: Wed Oct 11 2000 - 14:30:19 CDT


('binary' encoding is not supported, stored as-is) Attached is multiple copies of a file I had signed. Then I started modifying parts of the SIGNED message. To see if gpg could detect that the messages had been altered. It did not detect them, so long as the last signed message had not been altered.

Save this message as newfile.asc and run
gpg --verify newfile.asc -o /dev/null
to see for yourself (the key it was signed with is available via keyservers)

asdfasfasdfd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just added by one stuff to thie message
bogugfirst file encrypted with nobody dude on uinix box, send to nethole forpmail

this is actually encrypted with a valid pgpg key imported form win95

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
=siBR
-----END PGP SIGNATURE-----

middle stuff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

another wrong
first file encrypted with nobody dude on uinix box, send to nethole forpmail

this is actually encrypted with a valid pgpg key imported form win95

another file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE538hvZi9y1BQncn4RAolnAKCwEJTyPm6895ybQfk1D5IfeqJjmwCg4MlP 3NbvJocg5ksql40aOTZf0MY=
=yBf2
-----END PGP SIGNATURE-----

asfasfasf end stuff
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

first file encrypted with nobody dude on uinix box, send to nethole forpmail

this is actually encrypted with a valid pgpg key imported form win95

bogud

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
=siBR
-----END PGP SIGNATURE-----

stuff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

first file encrypted with nobody dude on uinix box, send to nethole forpmail

this is actually encrypted with a valid pgpg key imported form win95

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
=siBR
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

first file encrypted with nobody dude on uinix box, send to nethole forpmail

this is actually encrypted with a valid pgpg key imported form win95

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE538QlZi9y1BQncn4RAj/vAKCmfScBFegl6LMD3Q99N51pvuHAIQCfUv5+ a05Yt6xZwd/PxtQsRe+88AQ=
=siBR
-----END PGP SIGNATURE-----
gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E
gpg: Good signature from "James F. Small, Jr. <smalljnethole.com>" gpg: aka "Jim Small <smalljpacbell.net>" gpg: aka "James F. Small, Jr. <smalljsaic.com>" gpg: aka "James F. Small, Jr. <smalljsmall.cx>" gpg: Signature made Sat Oct 7 18:05:51 2000 PDT using DSA key ID 1427727E
gpg: BAD signature from "James F. Small, Jr. <smalljnethole.com>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E
gpg: Good signature from "James F. Small, Jr. <smalljnethole.com>" gpg: aka "Jim Small <smalljpacbell.net>" gpg: aka "James F. Small, Jr. <smalljsaic.com>" gpg: aka "James F. Small, Jr. <smalljsmall.cx>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E
gpg: Good signature from "James F. Small, Jr. <smalljnethole.com>" gpg: aka "Jim Small <smalljpacbell.net>" gpg: aka "James F. Small, Jr. <smalljsaic.com>" gpg: aka "James F. Small, Jr. <smalljsmall.cx>" gpg: Signature made Sat Oct 7 17:47:33 2000 PDT using DSA key ID 1427727E
gpg: Good signature from "James F. Small, Jr. <smalljnethole.com>" gpg: aka "Jim Small <smalljpacbell.net>" gpg: aka "James F. Small, Jr. <smalljsaic.com>" gpg: aka "James F. Small, Jr. <smalljsmall.cx>"

------------------------------------------------------------
--== Sent via Deja.com http://www.deja.com/ ==--
Before you buy.