DidiSoft Ltd.

While testing OpenPGP Library for .NET we came across a lateral case when performing a clear sign signature. The interesting part here is that two different Strings by means of characters can produce the same output after verification.

If we have:

Case A: stringToSign
Case B: stringToSign\r\n

the produced output in the PGP SIGNED MESSAGE part is the same:

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

stringToSign
—–BEGIN PGP SIGNATURE—–
(signature goes here)

So in theory there is no way to determine was it Case A or B when we try to decode and extract the message. This can be verified if we try to extract the message with gpg/WinPT and PGP Desktop. PGP Desktop returns Case A as result in both cases, and gpg on the other hand Case B.

We were in doubt which of the two to choose as our implementation and finally decided to choose GnuPG/gpg compatibility. The conclusion is that if you will be expecting messages with no new lines you have to explicitly trim the result.