Package: pgpdump Version: 0.28-1 Severity: normal Dear Maintainer,
if a .pgp file contains more than one signature, pgpdump processes only the first one and ignores everything else. This is a least a bit surprising. Such files do exist, for example the Release.gpg file used by Debian at e.g. http://ftp.de.debian.org/debian/dists/wheezy/Release.gpg (md5:82e5cd8577ae381288c789d083e4d9c5 at the time of this writing). pgpdump's output is Old: Signature Packet(tag 2)(540 bytes) Ver 4 - new Sig type - Signature of a binary document(0x00). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA256(hash 8) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Sat Feb 8 11:36:35 CET 2014 Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x8B48AD6246925553 Hash left 2 bytes - 97 45 RSA m^d mod n(4096 bits) - ... -> PKCS-1 However, pgpdump sould also show the second signature, i.e. Old: Signature Packet(tag 2)(540 bytes) Ver 4 - new Sig type - Signature of a binary document(0x00). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA256(hash 8) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Sat Feb 8 11:50:57 CET 2014 Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x6FB2A1C265FFB764 Hash left 2 bytes - f2 3b RSA m^d mod n(4096 bits) - ... -> PKCS-1 If this is now feasible, please put at least a warning into the manpage. Christoph -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.10.36 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages pgpdump depends on: ii libbz2-1.0 1.0.6-5 ii libc6 2.18-4 ii zlib1g 1:1.2.8.dfsg-1 pgpdump recommends no packages. pgpdump suggests no packages. -- no debconf information
signature.asc
Description: Digital signature
