On Wed, Nov 30, 2005 at 10:40:40AM +0000, Ben Laurie wrote:
" Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at
the end of any line is removed when the cleartext signature is
generated."
Does this mean they should not be included in the signature, or also
that they should be stripped from the dash-escaped text?
A goal of cleartext signatures is that they can survive this sort of
whitespace mangling in transport, so it's actually unimportant if the
whitespace is removed from the dash-escaped text or not. Either way,
they are not part of the signature, so even implementations that
differ on this point can still verify each others signatures.
" The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
SIGNATURE-----' line that terminates the signed text is not
considered part of the signed text."
Does this mean that one should insert an extra <CR><LF> before the
terminating line? I notice that at least some implementations do not.
I think always writing an extra CRLF is the wrong thing to do, if it
is not present in the original document. The text from the draft here
just says that the last CRLF (the CRLF that is required to be put the
BEGIN PGP SIGNATURE line at beginning of a line) in the document is
not part of the signed text.
As I see it, reasonable behavior here would be to copy in the original
document (with line ending conversion done) faithfully, then add the
terminating "CRLF-----BEGIN PGP SIGNATURE". If the last line of the
original document had a line ending (transformed to CRLF here), then
the clearsigned result would include it in the hash and the output:
this is my last line of text <-- there was an existing CRLF here
<--- this is the CRLF from "CRLF-----BEGIN PGP SIGNATURE"
-----BEGIN PGP SIGNATURE-----
In this case, the hash ends with "this is my last line of textCRLF".
If the last line of the original document didn't have a line ending,
then there would be no blank line, as the CRLF from ----BEGIN PGP
SIGNATURE----- effectively ends that line.
this is my last line of text <--- this is the CRLF from "CRLF-----BEGIN PGP
SIGNATURE"
-----BEGIN PGP SIGNATURE-----
In this case, the hash ends with "this is my last line of text" (no
CRLF).
This preserves the existence (or not) of the final line ending in the
clearsigned document.
David