[Opendnssec-develop] Re: Invalid signature

[Rickard Bellgrim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Bump

> Hi
>
> As we said in the last meeting, I should start an email thread about
> the "Invalid signature" problem. At one point we got a bad signature,
> but we could not reproduce it.
>
> Signer Engine will now check all of the signatures. And SoftHSM has a
> compiler option to verify the signature before returning it. Both has
> output to syslog.
>
> Signer Engine:
> WARNING: HSM returned BOGUS signature! Abort signing, retry on next
> resign
>
> SoftHSM (in hexadecimal):
> SoftHSM: C_Sign: Error: Could not verify signature. Data: 54657874
> Sign:
> 2E3C50CDFFFC39F146D67730A982DC17C9C5EBBC77394425F3524F8547CE26AC1E13CF1
> 3
> 534FCE7BE7FCFF263C8CD2C4DE9EBB295C790C1F989C18A32EF0D0853F7E38222FA6ACB
> C
> 29E27692D382FB4CE387C5F171F81567EC0678176EFDB43F
>
> Signer Engine also outputs the bad signature into the tmp zone, which
> does not get distributed:
> fprintf(output, "; signing failed: %s\n",
> ldns_get_errorstr_by_id(status)); ldns_rr_print(output, sig);
>
> I think Roy is setting up a test bed, right?
>
> What else can we do?
>
> And for how long should we keep the verifying on by default in the
> Signer Engine?
>
> // Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSyYFN+CjgaNTdVjaAQhapAf/aVrP0PW307WkZyRcW6mhrdlgWDCLZtoF
zOShaUc04jEvsi9m6n7K4RRP72AJewdQu5SXHE1Fqq/oSeL3N9XIC2rO0eGTelnR
nUwKGGR+l9+d8uXBzvTH2ScEgCmNT2x4RQHtZ8QYLnN1CiIXRebkOVsyvcqqhtTb
DUTiKxW+jJqe5dzlrE8WF/AcphfUsLZA1NFwy/RSzX2tzDLc1B1fE/tF/H6lqxvK
uXfBPTH/mDR07vVhYnLk2JUNWLlNX1phg3muFdR6xF91CC8GeRaQn213LOYGrA9D
gZJkuODXmHIWfec0Z24QpcmHRV3KpNavwTduWBWLPXEFyKfbEO+h3A==
=sOhp
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091214/9043447a/attachment.htm>