Bug#706742: libgnupg-perl: $gnupg->verify() fails if signature has OpenPGP notation subpacket
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat May 4 07:25:58 UTC 2013
Package: libgnupg-perl
Version: 0.19-1
Severity: normal
Some signatures that i wish to verify have an OpenPGP Notation
subpacket in them.
You can create these signatures with:
echo test > test.txt
gpg --sig-notation test at example.net=abc123 --detach-sign --armor test.txt
and then you can verify them with:
gpg --status-fd 1 --verify test.txt.asc test.txt
which produces status-fd output like the following:
[GNUPG:] SIG_ID ader2rZR418urkx2zsi3l7YwtvM 2013-05-04 1367652205
[GNUPG:] GOODSIG A52401B11BFDFA5C Daniel Kahn Gillmor <dkg at fifthhorseman.net>
[GNUPG:] NOTATION_NAME test at example.net
[GNUPG:] NOTATION_DATA abc123
[GNUPG:] VALIDSIG EB9691287A7ADDE3757D911EA52401B11BFDFA5C 2013-05-04 1367652205 0 4 0 1 10 00 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9
[GNUPG:] TRUST_ULTIMATE
however, using verify() from perl's GnuPG module causes a crash because it was not expecting NOTATION_NAME or NOTATION_DATA:
protocol error: expected VALIDSIG at /usr/share/perl5/GnuPG.pm line 159
GnuPG::abort_gnupg('GnuPG=HASH(0x1285c00)', 'protocol error: expected VALIDSIG') called at /usr/share/perl5/GnuPG.pm line 669
GnuPG::check_sig('GnuPG=HASH(0x1285c00)') called at /usr/share/perl5/GnuPG.pm line 707
GnuPG::verify('GnuPG=HASH(0x1285c00)', 'signature', 'test.txt.asc', 'file', 'test.txt') called at ./vfy.pl line 15
--dkg
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libgnupg-perl depends on:
ii gnupg 1.4.12-7.1
ii perl 5.14.2-21
libgnupg-perl recommends no packages.
libgnupg-perl suggests no packages.
-- debconf-show failed
More information about the pkg-perl-maintainers
mailing list