Fix CleartextMessage signature generation over text with trailing whitespace and \r\n line endings #1548
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signing a
CleartextMessage
containing trailing whitespace and \r\n line endings (as opposed to \n) would result in an unverifiable signature. The issue seems to have been present since v3.0.9 (ebeedd3). Note that these broken signatures were unverifiable even in the OpenPGP.js version(s) that generated them.The problem is that the data was incorrectly normalised before being signed, as trailing whitespace preceding \r\n would not be stripped (but still correctly normalised on verification).
Example of data that would be incorrectly signed:
If you have access to the original data that was signed (with whitespaces preserved), it's possible to verify an affected cleartext signature as a detached signature, by manually normalising the input message data as follows: