Re: [Gnu-arch-users] signatures and checking

[Tom Lord]

    > From: "Johannes Berg" <address@hidden>

    > Here's the relevant part of the RFC (2440)

Very nice.   So the "official word" is already in place.

    > Dash escaped cleartext is the ordinary cleartext where every line
    > starting with a dash '-' (0x2D) is prefixed by the sequence dash '-'
    > (0x2D) and space ' ' (0x20). This prevents the parser from
    > recognizing armor headers of the cleartext itself. The message digest
    > is computed using the cleartext itself, not the dash escaped form.

    > As with binary signatures on text documents, a cleartext signature is
    > calculated on the text using canonical <CR><LF> line endings.  The
    > line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
    > SIGNATURE-----' line that terminates the signed text is not
    > considered part of the signed text.

    > Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of
    > any line is ignored when the cleartext signature is calculated.

    > Therefore, we're safe unless we
    > a) depend on space (tla doesn't afaik)

Correct.

    > b) create lines starting with "-" (neither does it do this).

Correct.

    > Therefore, the approach I outlined above (and implemented in my
    > patch barring errors for unsigned archives which I forgot to
    > test) should work at least with gpg.

    > Bottom line: I think its sufficient to handle it in a way my
    > patch does.

It's better just to rely on the .check file doing a more rigorous
check.   The awk script will do for now and a convenience feature in
GPG to do the same thing would be nice.

-t