Erin Mulder on Thu, 4 Sep 2003 09:45:15 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

Hash: SHA1

What if you also run |gpg -o temp.txt, then cat temp.txt and compare.

(temp.txt should only get the message not the signature, so if the
signature's in there too, then it's a spoof.)


Jeff Abrahamson wrote:
| I received an encrypted and signed email which I decrypt and verify by
| piping through gpg (no options). The output looked like below (the
| part indented by two spaces).
| In mutt, I type "|gpg<return>"
| Now, I don't suspect Erin was trying to spoof me, and she had enclosed
| a semi-random string that I had encrypted to her. So this one case
| doesn't bother me.
| But, in general, how can I distinguish between the end of the
| encrypted message and the beginning of the "gpg: Signature ..." stuff?
| Couldn't someone just include such a (forged) signature block at the
| end of their message, then encrypt the whole thing without signing,
| and so convince me that the message was signed by someone else?
|   You need a passphrase to unlock the secret key for
|   user: "Jeff Abrahamson <>"
|   2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID
|   gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28
| 	"Erin Mulder <>"
|   gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02
| 	"Jeff Abrahamson <>"
|   Hi Jeff,
|   It was great meeting you all.   Thanks for signing my key.
|   Cheers,
|   Erin
|   Jeff Abrahamson wrote:
|   > Hi, Erin.
|   >
|   > Could you please respond to this message, signed and encrypted, so
|   > that I know you are who you say you are?
|   >
|   > Here's a semi-random string to include in your response:
|   >
|   >     153758709bcbdfc23f745c0b4656939632cfb6df
|   >
|   > Thanks.
|   >
|   gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID
|   gpg: Good signature from "Erin Mulder <>"
|   gpg: WARNING: This key is not certified with a trusted signature!
|   gpg:          There is no indication that the signature belongs to
the owner.
|   Primary key fingerprint: 8609 5F8C E335 F93F 40CC  14B8 10FA 4C88
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


Philadelphia Linux Users Group        --
Announcements -
General Discussion  --