Eugene Smiley on Thu, 4 Sep 2003 09:22:06 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

Hash: SHA1

Jeff Abrahamson wrote:

> Now, I don't suspect Erin was trying to spoof me, and she had enclosed
> a semi-random string that I had encrypted to her. So this one case
> doesn't bother me.

According to what you listed...

> gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID
> gpg: Good signature from "Erin Mulder <>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to
the owner.
> Primary key fingerprint: 8609 5F8C E335 F93F 40CC  14B8 10FA 4C88

It is just warning you that the siganture is good, but that this
person doesn't have a signature that you trust. In PGP you would get
something like this:

*** Status:   Good Signature from Invalid Key
*** Alert:    Please verify signer's key before trusting signature.

> But, in general, how can I distinguish between the end of the
> encrypted message and the beginning of the "gpg: Signature ..." stuff?
> Couldn't someone just include such a (forged) signature block at the
> end of their message, then encrypt the whole thing without signing,
> and so convince me that the message was signed by someone else?

It is possible. One Spammer has even tried using fake PGP sigs to try
to get a few "bonus" points from SpamAssassin. This is always easy to

However, trying to fake the signature verification is harder if that's
what you are refering to. The 'attacker' would need to know about your
specific setup to make it convincing, but it would still be noticable
if you were to look at the original message and verify it manually.

Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Mozilla -


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature