{"id":18391317,"url":"https://github.com/thblt/badsig","last_synced_at":"2025-07-30T09:04:55.084Z","repository":{"id":68387243,"uuid":"133937631","full_name":"thblt/badsig","owner":"thblt","description":"A collection of GnuPG signed documents for automated signature verification testing.","archived":false,"fork":false,"pushed_at":"2018-05-19T09:50:40.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-12T11:43:39.064Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thblt.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-18T10:04:53.000Z","updated_at":"2018-05-19T09:50:42.000Z","dependencies_parsed_at":"2023-02-26T00:15:09.264Z","dependency_job_id":null,"html_url":"https://github.com/thblt/badsig","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/thblt/badsig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thblt%2Fbadsig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thblt%2Fbadsig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thblt%2Fbadsig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thblt%2Fbadsig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thblt","download_url":"https://codeload.github.com/thblt/badsig/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thblt%2Fbadsig/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267842977,"owners_count":24153133,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T01:51:27.591Z","updated_at":"2025-07-30T09:04:55.056Z","avatar_url":"https://github.com/thblt.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"#+TITLE: Badsig\n\nThis repository is a collection of text files along with GnuPG\nsignatures, to facilitate testing of automated signature verification\nsoftware.  If you plan to use this repository, please read the full\nREADME before proceeding and use your best judgment when implementing\nthese cases.\n\nPlease notice that it's *your* job to verify that the contents of this\nrepository work as described, as expected or as would make sense, that\nthe testing situations it describes are correctly described and match\nyour real-world situations you'll be facing, and so on.  As the famous\nlicense says, I'm sharing this in the hope that it may be useful to\nothers, but *I don't guarantee anything about it*, not even that it does\nwhat it pretends to do, or that it makes any sense.\n\n* The signatures\n\nYou probably want to use the signed files in the =signatures= directory.\n\nThe file names are made of three components, and are to be\nread as follows:\n\n - =Valid= or =Invalid= :: Whether the signature is valid or not.  In\n      =Invalid= file, the message has been tampered with after the\n      signature.\n - =KOK= or =KEXP= :: Whether the key is currently valid or has expired.\n - =SOK= or =SEXP= :: Whether the /signature/ is currently valid or has\n      expired (yes, signatures do expire)\n\nThere's also two special cases:\n\n - =Unsigned= :: as the name suggests, this file isn't signed.\n - =Corrupted= :: the signature has been damaged and no verification can take place.\n\n* Using the cases\n\nIt takes more than just verifying each case to test all possible situation.  A good test suite using these files would need to at least:\n\n - Verify the files *without* the public keys in the keyring.  Having\n   signed contents but no public key is a very common case.\n\n - Revoke the public keys, or the signature subkey, before verifying again.\n\n - Change the keys' ownertrust to make sure your code correctly rejects signature from untrusted keys.\n\n A good test suite using these files would look like:\n\n #+BEGIN_EXAMPLE\n gnupg --delete-key badsig@example.com\n gnupg --delete-key badsig-expired@example.com\n run_tests(case=missing-keys)\n\n gnupg --import gnupg/badsig.key\n gnupg --import gnupg/badsig-expired.key\n run_tests(case=default)\n\n gnupg --import-ownertrust \u003c gnupg/never.ownertrust\n run_tests(case=untrusted)\n #+END_EXAMPLE\n\n* Security information\n\nYou should obviously not blindly trust random public keys from the\ninternet.\n\nBoth the keys UIDs are on the standard example domain [[http://example.com][example.com]] as\ndescribed in [[https://www.iana.org/go/rfc2606][RFC 2606]] and [[https://tools.ietf.org/html/rfc6761][RFC 6761]], so they won't conflict with any\nactual email addresses.\n\n* Known limitations\n\nThis was written for parsing the output of =git verify-[tag|commit]\n--raw=.  Git accepts only a single signer per object, so all these\nfiles are signed with a single key.  Would you need to handle multiple\nsigners, feel free to update =mksigns.sh= and send a PR!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthblt%2Fbadsig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthblt%2Fbadsig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthblt%2Fbadsig/lists"}