gpgVerify returns BAD_SIG

[jose]

Hi,

After signing a piece of text with

gpgSignText([signing_key]), _message, 1);

I want to verify that signature. So, I run

gpgVerify(_message_signed);

. But that function always returns

{
    data: "-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niQIcBAEBAgAGBQJQ5hhUAAoJEAUkJ3wRQIgAOTkP/iEYfbilHGmlvBh3pAEUcp31\ndrw1PF9RRDUR+3pAId66VZ8m9AofSNy3WqQYahpMVKOSEVkCKodv8qeV1m41PGff\n0wNKPrH8GuyEdfuHdUbXredWHPpFJxuVvGca6Dz0W+pZXZOoALOahyvYAgENDawL\nIUwlOXYxBxjQ4lUZBgLTiyMQQFdfqWaBOjZsKpUrW/wg+9ROVobnKI/dFxdU2IRs\nGNOd0GNP9yezEcDMVvTL1xzGfilfONwu2nltvWHTsicULBaeP8fNWeHks311cH1D\n3QMHkYB31k8FLWnRCBTtB8pGS7i0z4RNJ8T4tZltsENB3x5oIRaM9PkvN7SSzFGc\nFbzVccDrI68HYaHlTvC/8rqvbQGUXaUdYoE6AGA/MT9O4g8OiLivGOF0+VfoK4kS\nfmCqsjpjthmBKIBRDh6iT1ud7Mi/D/rqljXgLp+N05UEPsTrOZiwRI3MSU9Qtfum\nSC8aiF3Vdlo67o/ivyykZmiQ1VgfxcJi8wTZOIz+2Ix5APoPmVHMKI4o/3PzJj7V\namJyIZwLr6UxkQuanYCb7nq6bNqI9sQVTebbmVHFiCMKautx4tGfvC2lJaFDjX0w\n7dZVmzwZR09ilLllDYbjDkCwysjBj/PFNv2+0U6KxzE4laaXIEC7348YkMggLtRQ\nGiUHr5Xampvq8AKbEvfE\n=qgfi\n-----END PGP SIGNATURE-----\n",
    error: "false",
    message_type: "detached_signature",
    signatures: {
        0: {
            expiration: "0",
            fingerprint: "0524277C11408800",
            status: "BAD_SIG",
            timestamp: "0",
            validity: "unknown"
        }
    }
}

but if I call

gpgSignText

with sign_mode equals to 0 or 2, the verification works ok.

I use Debian Squeeze x64, gpg v1.4.10, gpg2 v2.0.14, libgcrypt v1.4.5.

Cheers ;)

[kylehuff]

The reason it is reporting a bad signature is because it doesn't know what the original text was. The Verify method doesn't yet support passing the originally signed data or file handle.

This s on my TODO list, and if it is holding you up in some way I could see about escalating the timeline.

However, do you really want a detached signature? Or would a normal signature (that includes the message, without plaintext) suffice?

[jose]

Yah, I want a detached signature.

Well, if you want I can improve the Verify method to support this feature. Where is your TODO list for this project (if there is one)?

[kylehuff]

If you want to tackle that, I accept patches and merge requests.

My other TODO items I took care of with the last few commits (which I noticed your repo is a little bit behind); so I can't think of anything else that needs to be done at the moment.

If you are going to implement this functionality, I suggest maybe keeping in mind the possibility of a file handle being passed, for cases where the object to verify is too large to pass in a string object. Although, there shouldn't be too much of that happening in the browser it might be a good idea to at least plan for the possibility.

Let me know if you need anything. I think the code is mostly documented in-line, but I know some things have changed and no longer apply to the comments.

Also (if you don't mind sharing) I would love to hear how you are using webpg-npapi, and what you like or dislike about it. If you prefer, we can have that conversation in a less public format; I can usually be reached via IRC on irc.freenode.net with the handle "kylehuff". I also idle in #webpg.

[kylehuff]

The above mentioned commit [4534aa3] modifies the gpgVerify method to accept an additional argument, which is the plaintext version of the signed data of a detached signature. i.e.:

plugin.gpgVerify("... signature text ...", "... signed text ...")

Unfortunately, this breaks any existing calls to gpgVerify, as it now expects at least an empty string to be passed to the method in the second argument. I hope to have this argument optional before the final release of v0.9.4, however this should at least allow you to test the change.

[kylehuff]

gpgVerify now accepts the second plaintext argument as an optional parameter.

Please report back if this does not resolve your issue, and thank you for your patience.

[jose]

Hi Kyle, thanks for the update. The last month and this it was a complete insane months, full of deadlines and stuffs to do... Next month I hope that I will have some time to return to this project...

Cheers ;)

[kylehuff]

No problem. I will leave this issue open until I hear back from you to let me know if it resolves your request.

Also, (if you don't mind sharing) I would still love to hear how your project using webpg-npapi.