Under certain conditions verification results reference the wrong Signing Key as well as wrong Signed File
Reported by steve | November 17th, 2022 @ 12:08 AM
Reproduce
- Install gpg tools
- Open gpg keychain.
- Create two keys (say key 1 and key 2).
- Open terminal (or any other app where you can easily create a
file).
- Create file
echo 123 > testfile.txt - Open testfile.txt directory in finder.
- Open context menu for the file.
- Services -> OpenPGP: Sign File
- Choose key 1 and sign the file with detached signature (say
signature 1).
- In finder open context menu for testfile.txt.sig.
- Services -> OpenPGP: Sign File
- Choose key 2 and sign the file with detached signature (say
signature 2).
- Edit testfile.txt, e.g. from terminal
echo 000 > testfile.txt - In finder double click on signature 2 - it shows good signature
(key 2) and that signed file is textfile.txt.sig.
- In finder double click on signature 1 - it shows good signature (key 2) and that signed file is textfile.txt.sig itself.
What did you expect instead
On step 15:
1. The app shows wrong information about signature. It must show
key 1 as key which signed testfile.txt.
2. The app shows wrong file that was signed. It must bet
testfile.txt not testfile.txt.sig.
3. The app shows wrong information about file verification. It must
state that signature is bad, cause file has changed after
signing
Terminal using gpg/gpg2 utility the correct verification results are shown.
Comments and changes to this ticket
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Luke Le
steve