kbpgp icon indicating copy to clipboard operation
kbpgp copied to clipboard
verified publisher icon keybase

Detached signature

Open algv opened this issue 8 years ago • 3 comments

kbpgp supported create detached signature?

In changelog:

0.1.18 (2014-05-27) Detached signature generation and verification.

But I cannot find example and my script not work

var params = {
  detached: true,
  msg:  "Here is my manifesto",
  sign_with:  alice
};

kbpgp.box (params, function(err, result_string, result_buffer) {
  console.log(err, result_string, result_buffer);
});

detached: true always ignore

algv avatar Feb 15 '17 14:02 algv

By my read of the code, it's not supported... I don't remember implementing it....

maxtaco avatar Feb 16 '17 17:02 maxtaco

AFAIK the default settings return a detached signature. From my npm package:

    const signedMessage = await box({ sign_with: keyManager, msg: message })
        .then((signed) => signed)

This will return a detached signature. You can run the tests to see an example:

jjperezaguinaga:~/workspace/keybase-sign (master) $ npm run test

> [email protected] test /home/ubuntu/workspace/keybase-sign
> standard && jest

 PASS  test/index.test.js
  ✓ returns a signed message given a private key that can be verified with its public pair (819ms)
  ✓ throws an error given when signing a message with a locked key given the wrong password (58ms)

Test Suites: 1 passed, 1 total
Tests:       2 passed, 2 total
Snapshots:   0 total
Time:        3.796s
Ran all test suites.
  console.log test/index.test.js:13
    The user signed the message -----BEGIN PGP MESSAGE-----
    Version: Keybase OpenPGP v2.0.68
    Comment: https://keybase.io/crypto
    
    yMCQAnicAUQBu/7EDQMACgFK7D7a1hCEhQHLFHUAWOnXNVRoaXMgaXMgYSB0ZXN0
    wsBcBAABCgAGBQJY6dc1AAoJEErsPtrWEISFFmgH/0JhcFa2M+0nBNnVRPxvl7WW
    /wxttK0n6IwETT3ePgqXayuN2bl1vOPrlZ2hueP5pe3ESAql/6Lj1C3oKcCLI499
    oKAFhB22tS20kHX28i4wEb+6/jrblg/LtwpbtyTb22Fpq08TsDuLL5l9R5DFAQL6
    3PJsxcIBpXFB5e0CuZ8tcL3P2eQiP4TG0QpW0Ex9o6kJ7rWGr6uKZ5wFV+wS3OQg
    LiKJj6VgCE3ZT/6+mDiH9ys6V7QE/QPSA8pYjh6Iv3Zl5BAlZjhu2jpfZPfW4AuA
    AIdBMJ+z4P73bXHNNg6Xp11FsUVYw3KyTuq/o0m1rLVLAviGO4vUu6cW5yYDbbRu
    7Zvs
    =NGp2
    -----END PGP MESSAGE-----

0xjjpa avatar Apr 09 '17 06:04 0xjjpa

@jjperezaguinaga That output appears incorrect for a cleartext signed message according to rfc4880 Section 6.2: https://tools.ietf.org/html/rfc4880#section-6.2.

BEGIN PGP SIGNATURE
Used for detached signatures, OpenPGP/MIME signatures, and
cleartext signatures.  Note that PGP 2.x uses BEGIN PGP MESSAGE
for detached signatures.

In this case it would likely look something like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The user signed the message
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.68
Comment: https://keybase.io/crypto
    
yMCQAnicAUQBu/7EDQMACgFK7D7a1hCEhQHLFHUAWOnXNVRoaXMgaXMgYSB0ZXN0
wsBcBAABCgAGBQJY6dc1AAoJEErsPtrWEISFFmgH/0JhcFa2M+0nBNnVRPxvl7WW
/wxttK0n6IwETT3ePgqXayuN2bl1vOPrlZ2hueP5pe3ESAql/6Lj1C3oKcCLI499
oKAFhB22tS20kHX28i4wEb+6/jrblg/LtwpbtyTb22Fpq08TsDuLL5l9R5DFAQL6
3PJsxcIBpXFB5e0CuZ8tcL3P2eQiP4TG0QpW0Ex9o6kJ7rWGr6uKZ5wFV+wS3OQg
LiKJj6VgCE3ZT/6+mDiH9ys6V7QE/QPSA8pYjh6Iv3Zl5BAlZjhu2jpfZPfW4AuA
AIdBMJ+z4P73bXHNNg6Xp11FsUVYw3KyTuq/o0m1rLVLAviGO4vUu6cW5yYDbbRu
7Zvs
=NGp2
-----END PGP SIGNATURE-----

Also, that payload seems relatively big for a detached signature of that message, it seems that the payload being generated is likely including the message. It seems likely as @maxtaco claimed, detached signatures is either not implemented or there's a bug somewhere that regardless of the detached flag being true, it is always generating an embedded signature that includes the message.

gubanotorious avatar Dec 20 '18 18:12 gubanotorious