standards – What is the PKCS#7 detached signature format?

This website claims that (emphasis added):

In PKCS#7 SignedData, attached and detached formats are supported… In detached format, data that is signed is not embedded inside the SignedData package instead it is placed at some external location…

However, RFC2315 seems to define no such “detached” format.

  • SignedData comprises:
    • version = INTEGER 1
    • digestAlgorithms: SET OF DigestAlgorithmIdentifier
    • contentInfo, comprising:
      • contentType = data (OBJECT ID “1.2.840.113549.1.7.1”)
      • content: Data = the message that was signed
    • signerInfos: SET OF SignerInfo, each comprising:
      • version = INTEGER 1
      • issuerAndSerialNumber
      • digestAlgorithm: DigestAlgorithmIdentifier
      • encryptedDigest: EncryptedDigest = the low-level signature

Neither SignedData/contentInfo nor ContentInfo/content:data are OPTIONAL; and the former may only be one of the six defined types: data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData; I see no detachedData or any similar options. (Choosing digestedData does not resolve it, as ContentInfo/content:digestedData is also non-optional.)

What belongs in the contentInfo field of a detached SignedData object?

ssl – OpenSSL: tls12_check_peer_sigalg:wrong signature type

So, my first problem started with this python code failing:

import urllib3

http = urllib3.connection.HTTPSConnection("secure.vonage.com")
http.request("GET", "/")

Which gave me:
ssl.SSLError: (SSL: WRONG_SIGNATURE_TYPE) wrong signature type (_ssl.c:1123)

But, actually, I think I’ve “narrowed” it to finding that it fails from openssl:

openssl s_client -connect secure.vonage.com:443

(It says: 140136096142656:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1145: )

I did do some preliminary searching, and found this: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1

But, I tried that (I’m using ubuntu:20.04) and it didn’t work for me..

Can someone tell me how I can make this work/further debug what the problem is?

FWIW, I tried both with www.google.com and both work then. So, it seems clear there’s a problem with secure.vonage.com, but nevertheless, I do still want to connect to vonage. Also, I’m able to connect to secure.vonage.com via the browser.

Thanks!

javascript – build a Xbonacci function that takes a signature of X elements ,each next element is the sum of the last X elements ,and returns the first n elements

this is a kata from codewars, here is the description of the kata:

think of a Quadribonacci starting with a signature of 4 elements and each following element is the sum of the 4 previous, a Pentabonacci (well Cinquebonacci would probably sound a bit more Italian, but it would also sound really awful) with a signature of 5 elements and each following element is the sum of the 5 previous, and so on.

Well, guess what? You have to build an Xbonacci function that takes a signature of X elements – and remember each next element is the sum of the last X elements – and returns the first n elements of the so seeded sequence.

and this is my solution to it:

function Xbonacci(signature,n){
 let i=0;
  let k = n - signature.length;
   while(k--){
     let sumNums = 0;
     //let newArray = (...signature);
     signature.slice(i , signature.length ).map((num)=>{
      return sumNums += num;
     })
     
     signature.push(sumNums);
     i++
   }
  return signature;
}

the code works well but it doesn’t pass the test because of optimization. Is there any way to make this code faster or more optimized? I think the problem is the slice method but I don’t what to use it instead.

Manually build 150 high authority Niche related forum profile backlinks and forum signature for $10

Manually build 150 high authority Niche related forum profile backlinks and forum signature

Manually build 150 high authority Niche related forum profile backlinks and forum signature.

Hi, Wellcome to my service..

You are already known to the value of Forum backlinks. Your link with your anchor text will be used to submit 150 Forum profile backlinks, this is a very easy, cheap, safe way to rank your links in any search engine.

I will create backlinks for your website on the High Authority niche-related forum site. And I will anchor your keyword in the forum signature option when each backlink. This will get your website ranked in Google very quickly.
Order Us

Service specialty:–

  • 100% Manual work without Spam
  • All High authority sites
  • Maximum Dofollow Links
  • Keyword anchor text
  • Provide full login details and live Link
  • Improve Website Ranking
  • Accepted any language website
  • 7/24 friendly customer support

.

Prevent PGP Signature from being Forwarded

I sign my emails using PGP/MIME scheme through Thunderbird. The scheme works by creating a detached signature of the email body (including headers) and add it as a separate attachment. This causes the signature to be valid for that email, and only that email because of the metadata.

This is fine when using Thunderbird as a client, because when replying or forwarding an email with such signature, it automatically get rids of the signature and quotes just the content body.

However, this becomes a problem on clients that does not support PGP/MIME scheme (such as web Gmail). Because, it will quotes the content body and re-attach the signature. But such signature is no longer valid because all of the metadata/headers that came with the original mail are removed. Hence, the signature attachment just becomes a litter that sticks around.

How can I prevent other people and/or non-compliant email clients with PGP/MIME scheme, to not re-attach my signatures when replying or forwarding my emails?

Do I really have to explicitly tell everyone I contact to specifically remove my signature attachment from my email when forwarding or replying?

Standard form of email signature

A little bit of background: I want to sign my emails for my own safety. None of my intended recipients are users of digital signatures. If one day someone were to impersonate me, I can prove my own identity, and disprove the identity of my impersonator.

I intend to use GPG to produce signatures for my emails. Right now, I am facing a dilemma on how to attach these signatures. Whether to use ‘clearsign’, ‘detached signature’, or just plain old ‘sign’.


I will elaborate on my thought process, and the pros and cons I came up with, of each form of signatures.

Clear Signature

Pros:

  • No external program required to read messages
  • Verification can be done easily

Cons:

  • Intrusive and ugly headers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

some message
-----BEGIN PGP SIGNATURE-----

some signature
-----END PGP SIGNATURE-----

Detached Signature

Pros:

  • No external program required to read messages
  • No intrusive and ugly headers

Cons:

  • To verify messages, the content must be copied and formatted exactly like how it was when used to produce the signature. Reference here.

Normal Sign

Pros:

  • No intrusive and ugly headers

Cons:

  • Require an external program to read messages
  • Or the alternative is, to duplicate the content of the message. One for readability, and another that was baked in the signature, as produced by GPG.
  • When using the alternative, produces longer emails.
  • When using the alternative, to verify a message, one will need to compare the produced output from the baked content in the signature, and the duplicated plain content in the email.

If I were to resort to use ‘clearsign’, when my recipient don’t have a clue in the purpose of digital signatures, the ugly headers will make my emails look unprofessional. I want to ensure any digital signature I attach to be as least intrusive as possible.

I could simply remove the headers. However, the process of verifying signatures becomes no less different than ‘detached signature’, although less error prone.

If I were to use just the normal ‘sign’ and duplicate the content for plain reading, in some cases, this procedure defeats the whole point of digital signatures through hashing and getting the fingerprint of the message.

What should I do? What’s the norm of attaching signatures to emails? Are there other alternatives that I have yet to consider?

What block space savings would we get for coinjoins (and payjoins) if we had cross input signature aggregation?

What block space savings (specific numbers in weight units or vbytes) would we achieve for coinjoins (and payjoins) if we had cross input signature aggregation (post a speculative future soft fork that enabled it)?

This question was asked by Mario Gibney on Twitter and has been paraphrased.

signature – How to prove wallet ownership?

Context

I would like to verify being A has access to a wallet and hence would like to ask them to pay a minimum amount to a particular wallet address owned by someone other than me, e.g. 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa, with a signature ThisIsUnexpected that I gave to the being A.

The basic concept I believe is quite simple, if being A agrees, they share with me their bitcoin wallet address:being_A_bitcoin_wallet_address. Next, I would share the expected signature, and selected recipient address (e.g. 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) with being A. Being A then pays a minimal amount of bitcoin to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. After the transaction is completed, I look at the transaction history of the received donations to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa and find the transaction made by being_A_bitcoin_wallet_address. Next, I look at the signature of that particular transaction and verify it reads: ThisIsUnexpected. If the transaction indeed has that signature I have a high certainty being A has access to being_A_bitcoin_wallet_address and I can verify their amount of funds.

Challenge

Though the idea may be relatively simple, I am experiencing some challenges in the execution.

To test the verification procedure, I thought I would look up the signatures of past transactions to that address. Hence I went to: https://www.blockchain.com/btc/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa and looked at the list of transactions. At the moment of writing, this is the most recent transaction, so I thought I could perhaps take the Sigscript of the transaction (with index 1) and put it into this signature verification tool to get a human-readable signature. However that tool does not seem to provide a human-readable signature, nor do I know whether the arbitrary transaction I selected contains a “Thank you Satoshi”-like signature.

Question

How could I practically verify the signature of a bitcoin transaction (if it has one)?

Subquestions

I think this question could be segmented in the following sub-questions:

  • How can I verify that an arbitrary transaction contains a human-readable signature?
  • Which information of the transaction data should I use to obtain a human readable form of the transaction signature?
  • Which online resources could be used to verify a signature?
  • Is there a python script that provides a function: being_has_access_to_wallet(claimed_wallet_access_address, recipient_wallet_address,human_readable_signature, amount=0.0001) that returns True or False using something like a block explorer?