clearsign.Encode currently creates bad signatures for inputs containing
lines that that consist of only whitespace (gpg --verify and
clearsign.Decode both agree the signature is bad).
RFC 4880 section 7.1 says trailing whitespace is removed when generating
the signature. The previous code correctly handled this for the case of
not being at the beginning of the line by buffering the whitespace.
The previous code had incorrect behavior for the case of being at the
beginning of a line. It was only special-casing dashes and newlines,
directly hashing all other characters.
This happened to work for lines that had leading whitespace followed by
non-whitespace characters, since in that case the leading whitespace is
not trailing.
However, this behavior is incorrect for whitespace-only lines: The
previous code would incorrectly add the first whitespace character to
the hash, when instead it should have been dropped.
This commit moves the whitespace check so that it always happens,
regardless of whether we are at the beginning of a line.
This adds a few tests to capture the expected behavior. The last three
tests fail without the included code change.
Change-Id: I17848b8aaad6f7a4cee414d486be236f7edddd0b
Reviewed-on: https://go-review.googlesource.com/13681
Reviewed-by: Adam Langley <agl@golang.org>
fc08251b06