jmarans has asked for the wisdom of the Perl Monks concerning the following question:

I've been trying to extract a tar file from between
the cleartext sections of a pgp signature, but find
it's not as simple as stopping syswrite where
-----BEGIN PGP SIGNATURE----- begins.

Even stopping at the \n infront of that leaves me
with a munged tar file.

I'm able to verify the signature with GnuPG::Interface,
so I suspect I don't understand the gpg file format.
Actually, I'm sure I don't.

????
  • Comment on extracting original from gpg clearsigned file

Replies are listed 'Best First'.
Re: extracting original from gpg clearsigned file
by BazB (Priest) on Jan 17, 2002 at 04:41 UTC

    Is this tar file from an email or something? Is it MIME::Base64 encoded, or encoded by another method, or is it binary?

    PGP/GPG signed files should not modify the information between the 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    [download]
    and 
    -----BEGIN PGP SIGNATURE-----

    [download]

    tags, the only thing I've noticed is a munging of the .signature delimiter -- to - --.

    Sorry if I'm stating the obvious with this, but one thing that's just struck me, crazy though it is: you're not trying to get a file from something like 

    -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8dBQE8Rg1UOcb+EPeM7ggRApQSAJ0dqFfLKZ5QkRUAHJFZHcjJ5dV2-QCeOPEH
ybtpRe\\KLR7bCdt0YOtcnk=
=dugR
-----END PGP SIGNATURE-----

    [download]

    Are you?

    That's only a signature which is sometimes distributed as another file - for example the linux kernel tarball has a kernel-2.x.x.tar.gz.sign file associated with it, which contains the PGP signature for the kernel tarball.

    You use that file with PGP/GPG to check that the (in this example) kernel tarball hasn't been changed - similar to checking an md5sum - the tarball isn't part of that GPG signature!
    All the signature tells you is which key/who signed it, and gives some checksum information for the file you should check it against.

    Cheers

    BazB.

[reply]
[d/l]
[select]
      The original tarfile is created on a linux box using
      tar on a group of files that are variously text, and
      gzip'd binary. It really is just a regular tar file.

      I then do a gpg --clearsign <filename> and get a
      filename.asc as output.

      I thought the --clearsign option would only sandwich the
      file between 2 text strings, but that looks like a
      non-starter. Even turning off compression, -z 0,
      doesn't seem to do it. So I've gone back to trying
      to get GnuPG::Interface to decrypt a .gpg signed file
      output by gpg --sign <filename>.

      There's something about GnuPG::Interface I'm not
      getting ...
[reply]
Re: extracting original from gpg clearsigned file
by BazB (Priest) on Jan 18, 2002 at 03:41 UTC

    This is heading somewhat offtopic (Perl :-), however...
    You should read man gpg. STFW for information on file signing and how it all works.
    Understand the way everything works and have another stab at this.
    You might find it easier to do this on the command line with a couple of dummy files, then once you have it working, figure out how to achieve the same thing with Perl.

    Essentially what you're attempting to do is: 

    gpg --verify sigfile signed-files

    [download]
    Where the result from gpg --clearsign random_tarfile is the 'sigfile' (random_tarfile.asc), and the random_tarfile (which is the 'signed-file(s)') remains unchanged.

[reply]
[d/l]
[select]
      You're right, I haven't absorbed much of the gpg man pages,
      although I have the perl version of gpg->verify()
      working. I can command line extract the original tar
      file from a .gpg signed file with gpg -d -o fn.tar.gpg fn.tar.gpg

      What I've been trying unsuccessfully to do now is
      gpg->decrypt() .gpg files ranging in size from 100k
      to 12 meg.
[reply]

Back to Seekers of Perl Wisdom