Dear GnuPG Experts, for your pleasure I am presenting the first GnuPG Summer Riddle! 20080123ber Rules: a) To not spoil the fun for others, please indicate "SOLUTION" in email followups, if you think you've got it. b) The applications below use the python interpreter with #!/usr/bin/python, have been tested on Debian Sarge and Sid with python2.3, 2.4 and 2.5 and do not depend on external factors like a manipulated binary or operating system. They are save to run and signed with my key (as you will see). c) For extra difficulty: Do not look into the application files. d) The only reward this riddle offers is confidence in your analytic skills. e) No need to cry "Wolf!" - no signatures nor cryptographic algorithms have been harmed by this riddle. Werner has been notifed this summer ... Story: It was one of these summer nights in August 2007. The weather was hot and humid so I could not sleep, but I also was too tired to do real work and thus me and my Officer of Out-Of-Planet-operations hang around on IRC. Chatchatting and wasting time, suddenly a strange visitor dropped in. Well, it takes a while until somebody qualifies as "strange" on IRC, but this person? certainly did. *** Spoff (n=Spoff@212.22.103.87) has joined channel #gnupg Spooff: Hi there, anybody home? #gnupg> Yes, barely. ;) Are you Earth's crypto experts? #gnupg> Not really. I am just flying by and checked up on the "GnuPG" software. Quite + interesting .. but not really advanced by galatic standards. Tell us how to improve it. No time to teach you, it also would violate ethic standard #F451. #gnupg> Hey, proof it! If you make a signature I can easily run a different file through + my little application and it will have the same signature. /me laughs out loud. * Spoff prepares to send an example file. *** DCC file send request [2] from Spoff[@212.22.103.87]: manglesig (9312 bytes) Spoff is n=Spoff@212.22.103.87 (Spaceman Spoff) *** On channels #gnupg *** Via server calvino.freenode.net (Milan, IT) Where are you from? I am from planet a-s-n, way outside of your solar system. + Studying some of your culture has been fun, I am jumping to the next station soon. Bye and thanks for all the crypto!j *** Signoff: Spoff has quit (Ping Timeout.) Okay, I now had this binary on my harddisc. So far so good. My curiosity was tickled. I have used a qemu based sandbox system (its clock being screwd) and gave it a try and it worked! Wow! This was really cool!!! And now to the sad part of the story: To my and your dismay, I have made a mistake - probably because I am tired, while cleaning up some of the experiments, I accidently deleted the binary called "manglesig". ;(( I have tried the rest of the night, but in the morning I though I might have all dreamed it, but I could recover one of the examples which I am attaching to this email. Three files "app4.py", "app5.py" and a signature of app4.py. See for yourself: export LANG=en_GB gpg2 --version | grep ver License GPLv3+: GNU GPL version 3 or later gpg2 --verify app4.py.sig app4.py gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116 gpg: Good signature from "Bernhard Reiter " gpg2 --verify app4.py.sig app5.py gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116 gpg: Good signature from "Bernhard Reiter " ./app4.py Hi, I'm your app tonight. ./app5.py Showing resistors is futile, you will be policed! How is this possible???