Handle OpenPGP-compliant CSF message verfication#40
Merged
alecpl merged 1 commit intopear:masterfrom Apr 5, 2025
Merged
Conversation
GnuPG has traditionally emitted a spurious newline when outputting the text verified from a cleartext signing framework message, if the signed message doesn't contain a trailing newline. This is clearly wrong according to the OpenPGP specification, which says: > The line ending (i.e., the <CR><LF>) before the '-----BEGIN PGP > SIGNATURE-----' line that terminates the signed text is not > considered part of the signed text. The test in Crypt_GPG presumes that the trailing newline is returned, as that has been traditional GnuPG (mis)behavior. This change adjusts the test suite so that it passes regardless of whether GnuPG conforms to the specification or misbehaves in the traditional way. See https://dev.gnupg.org/T7106 for discussion with upstream. See also https://gitlab.com/freepg/gnupg/-/merge_requests/15, where the FreePG project is bringing a patched version of GnuPG into compliance with the specification. Finally, please also see the discussion over on https://bugs.debian.org/1099043 -- debian's GnuPG is being brought into compliance with the OpenPGP standard for CSF messages, so we need something like this to ensure that the Crypt_GPG test suite succeeds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GnuPG has traditionally emitted a spurious newline when outputting the text verified from a cleartext signing framework message, if the signed message doesn't contain a trailing newline.
This is clearly wrong according to the OpenPGP specification, which says:
The test in Crypt_GPG presumes that the trailing newline is returned, as that has been traditional GnuPG (mis)behavior.
This change adjusts the test suite so that it passes regardless of whether GnuPG conforms to the specification or misbehaves in the traditional way.
See https://dev.gnupg.org/T7106 for discussion with upstream.
See also https://gitlab.com/freepg/gnupg/-/merge_requests/15, where the FreePG project is bringing a patched version of GnuPG into compliance with the specification.
Finally, please also see the discussion over on
https://bugs.debian.org/1099043 -- debian's GnuPG is being brought into compliance with the OpenPGP standard for CSF messages, so we need something like this to ensure that the Crypt_GPG test suite succeeds.