[pkg-gnupg-maint] Bug#795636: Bug#795636: gnupg-agent: adding 384-bit ECDSA key puts wrong fingerprint in sshcontrol

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Aug 15 23:11:34 UTC 2015


Control: forwarded 795636 https://bugs.gnupg.org/gnupg/issue2075
Control: tags 795636 + upstream

Hi Brian--

On Sat 2015-08-15 23:45:09 +0200, brian m. carlson wrote:
>
> I added the following ECDSA SSH key earlier today (with GnuPG 2.1.6).
> gpg-agent added it to sshcontrol with an incorrect MD5 fingerprint:
>
>   ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIcIk0jxxbWcr5s6TK2CNnH8qJRfnSe7pWCHohPnIOKqDMqPJcEDjntMXukXjpnzMVv/ToBvMqCK49uztCzPUiF0kIBhziVvyGkZqrUrJd2BD2wedrpCTfY//dA9viKLrQ== bmc at vauxhall
>
>   # ECDSA key added on: 2015-08-15 20:51:39
>   # MD5 Fingerprint:  bf:b2:5c:1e:be:8a:63:74:19:50:bf:23:21:3c:ff:5e
>   0D3ADB5BC29D85ECCA7397095962CB389A1C734D 0
>
> Considering the simplicity of the algorithm[0], I'm not sure why this is
> broken, but it does appear to be.  This is confusing, but otherwise
> purely aesthetic.  The key functions correctly and can be used normally.

thanks for this report.  It looks like this is true only for NIST 384.
it doesn't happen for 256 or 521.

I've reported it upstream at the URL above.

> (Once OpenSSH 7.0 hits unstable, you might consider putting the SHA-256
> fingerprint in instead, but that's another bug report.)

yep, we'll work on that one separately :)

all the best,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20150816/aeefe53a/attachment.sig>


More information about the pkg-gnupg-maint mailing list