search

aead / minisign

A dead simple tool to sign files and verify digital signatures.
https://jedisct1.github.io/minisign/
MIT License
117 stars 15 forks source link

Signature verification broken #7

Closed infraweavers closed 3 years ago

infraweavers commented 3 years ago

Hiya,

I think this implementation's signature verification is different from both https://github.com/jedisct1/go-minisign and https://jedisct1.github.io/minisign/

The attached file has a valid signature (also attached) as produced by https://github.com/jedisct1/minisign/releases/download/0.9/minisign-win32.zip :

D:\sign>"C:\Users\RobertEmery\Documents\minisign.exe" -V -m robtest.ps1 -P "RWQ3ly9IPenQ6Wgt/VYzMCdGdVJPPoNSyT+rtTddvqBgANTYdboko0zu"
Signature and comment signature verified
Trusted comment: timestamp:1617721023   file:robtest.ps1

Yet when run through this reimplementation it shows as invalid:

D:\sign>C:\Users\RobertEmery\Downloads\minisign-main\minisign-main\minisign.exe -V -m robtest.ps1 -P "RWQ3ly9IPenQ6Wgt/VYzMCdGdVJPPoNSyT+rtTddvqBgANTYdboko0zu"
Error: signature verification failed

ExampleValidSignature.zip

aead commented 3 years ago

@infraweavers Thanks for reporting this.

This issue is caused by carriage returns (\r) at the end of the untrusted and trusted comment. The current implementation does not trim any trailing \r characters when parsing the signature. This causes the comment signature verification to fail since it tries to verify a comment (with a \r) that was signed without \r.

This problem will occur in particularly on OS that end newlines with \r\n (i.e. windows).

PR #8 will fix this.

jedisct1 commented 3 years ago

Good catch, and thanks for the quick fix!