On Fri, 30 Sep 1994, Alan Barrett wrote:
The bug seems to be present in all versions (even the ViaCrypt versions have this problem). It has been reported as a bug to the MIT pgp-keepers.
The "bug" looks like a deliberate design decision to me. Everything from the "--- BEGIN PGP" line to the first blank line is ignored, and is not considered part of the signed message. There's a comment in the source code (file armor.c in the versions I checked), saying "Skip header after BEGIN line".
Yes, this was a deliberate design decision, most probably so the same code could be used to parse --- BEGIN PGP ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However, this is a _huge_ security hole, as it allows the nearly-undetectable modification of PGP-signed messages. Mike -- Michael Handler <grendel@netaxs.com> PGP public key available 1984: We're Behind Schedule Civil Liberty Through Complex Mathematics