[Linux-ima-devel] Query about ditital signature format (v1 and v2)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Dmitry,

I was going through the evmutils code and have few questions. Would be
great if you could help me out here.

I noticed that both for v1 and v2 of digital signauture we store the
length of signature.

For v1 we seem to be storing bit length (and not byte length) while
for V2 we seem to be storing byte length. Comment says that it is to
make it compatible with gnupg.

For v1:

        /* we add bit length of the signature to make it gnupg compatible
 * */
        blen = (uint16_t *) (sig + sizeof(*hdr));
        *blen = __cpu_to_be16(len << 3);

For v2:

        /* we add bit length of the signature to make it gnupg compatible
 * */
        hdr->sig_size = __cpu_to_be16(len);

Few queries.

- Is it intentional that for V2 we store the length in bytes and not bits.

- Is there any documentation which explains gnupg signature format and it
  requirements for storing length of signature.

- Storing sizse in bits  with-in 2 bytes means that signature can not exceed
  the size of 32 bytes. I am not sure if that's good enough or not.

- What does gnupg compatible mean here? Can I take this sigunature and
  pass as detached signature to gnupg utils and they can verify this
  signature against a given file?

Thanks
Vivek