Quantcast

GPG Signature Verification

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

GPG Signature Verification

Paul Taukatch-2

Hello and thank you for taking the time to help out!

I am developing my own implementation of the PGP specification and have a question regarding the signature generation/verification for Transferable Public Keys that maybe one of you could help shed some light on. Currently I create a single primary RSA key and userID and bind the two with a certification self-signature (0x13). When importing this certificate into GPG I get a a signature verification failure which prevents the certificate from importing.

I've read through the rfc4880, 5.2.4 - Computing Signatures section quite thoroughly and believe I am generating the signature properly - Signing the Hash context of the primary key + user ID + signature data (V4).

One thing I notice in the debug info is that the first several few bytes of the rsa_verify data and rsa_verify cmp do not match.

DBG: rsa_verify <a href="data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff">data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042007 \
DBG: 3d952c71b2d7c2c945c60f828f087e1d517774f84fe30825f18709659466e7

DBG: rsa_verify cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffff00302f300b0609608648016503040201042007 \
DBG: 3d952c71b2d7c2c945c60f828f087e1d517774f84fe30825f18709659466e7

Does anyone know exactly what this verify data is comprised of? I notice that the hash of the (Primary Key + UserID + Signature Data hash context) = 073D952C71B2D7C2C945C60F828F087E1D517774F84FE30825F18709659466E7 which seems to match for both the verify data and cmp.

I've attached my public key and debug log but please let me know if there is any other information that might be helpful.

(See attached file: exportZPGPTest.bin)(See attached file: debug.txt)

Thanks Again!


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users


exportZPGPTest.bin (672 bytes) Download Attachment
debug.txt (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Kristian Fiskerstrand-6
On 04/20/2017 09:17 PM, Paul Taukatch wrote:
> I've attached my public key and debug log but please let me know if there
> is any other information that might be helpful.

The first reference that springs to mind is [RFC4880] Section 5.2.4.
Computing Signatures

References:
[RFC4880]
https://tools.ietf.org/rfc/rfc4880.txt
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"By three methods we may learn wisdom: First, by reflection, which is
noblest; Second, by imitation, which is easiest; and third by
experience, which is the bitterest."
(Confucius)


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Kristian Fiskerstrand-6
On 04/21/2017 09:16 AM, Kristian Fiskerstrand wrote:
> On 04/20/2017 09:17 PM, Paul Taukatch wrote:
>> I've attached my public key and debug log but please let me know if there
>> is any other information that might be helpful.
>
> The first reference that springs to mind is [RFC4880] Section 5.2.4.
> Computing Signatures

Of course you already mentioned this in your initial email :) Looks
correct to me.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If your kids are giving you a headache, follow the directions on the
aspirin bottle, especially the part that says "keep away from children."
(Neil McElroy)


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Loading...