Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

He's saying that, even though he changed the message, the signature still validated. He doesn't realize that the resulting GPG file contains the message, so it's verifying it against its own, stored copy.


That's what I thought, but couldn't confirm. Basically he's verifying a valid file and inferring it relates to a different file.

Sounds like a UX problem than a technical one. It's equivalent to me zipping up a folder, changing the contents of that folder, then expecting the zip file to have the change as well.


I think dvh is confused about detached signatures and signatures that contain their payload.

For detached signatures:

    gpg --verify message.sig message
For signed files:

    gpg --verify message.sig
    gpg --output message --decrypt message.sig
It's all documented¹.

Dvh: what are you getting at?

1: https://www.gnupg.org/gph/en/manual/x135.html


I'm just trying to point out that it is easy to make mistake by checking normal signature and detached signature.


This reminds me of Craig Wright's blog post where he "proved" he is Satoshi, albeit that one was deliberately misleading.

Off-topic, I think in addressing people with 'they' is more polite when the gender is ambiguous, despite the stats being in your favour.


Funny you mention 'they'. I usually do that but noticed in one of my replies I used 'he'. Turns out I reciprocate what other's say without thinking about it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: