[pkg-gnupg-maint] SHA-1 and Debian

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Nov 5 00:06:27 UTC 2015 

Hi Ansgar--

[ adding pkg-gnupg-maint ]

On Thu 2015-11-05 08:16:34 +0900, Ansgar Burchardt wrote:
> Does this mark the signature as invalid or just output a warning like
> above?
>
> I tried creating a MD5 signature (gpg2 --digest-algo=md5 --clearsign) and
> feeding it to both gpg1 (1.4.19-6) which gave a warning that MD5 is
> deprecated, but accepted it:
>
>   gpg: Signature made Wed Nov  4 23:55:23 2015 CET
>   gpg:                using RSA key 0x80132534DD347DC8
>   gpg: WARNING: digest algorithm MD5 is deprecated
>   gpg: please see https://gnupg.org/faq/weak-digest-algos.html for more information
>   [GNUPG:] SIG_ID ...
>   [GNUPG:] GOODSIG ...
>   [GNUPG:] VALIDSIG ...
>
> This means that dak should also accept MD5-signed uploads. I guess we
> could look at the <hash-algo> field in the VALIDSIG to identify &
> reject MD5- and eventually SHA1-signed uploads?  Though I'm not happy
> with hardcoding algorithm lists in dak... But it might work until we
> switch to a (recent enough) version of gpg2.

I agree that this hack sounds crufty...

> I wonder if gpg1 should also treat MD5 as unreliable and give an error
> instead of just a warning?

Yes, it should.

Last week i asked Werner to consider having gpg 1.4 act the same way as
2.x:

  https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030457.html

Additionally, i propsed the same --weak-digest patch for 1.4.x:

  https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030457.html

I don't think they have many cycles for 1.4 these days (2.1.x is getting
a lot of attention, which is awesome), so it may take a while for
upstream review.

In the meantime, we could consider applying these changes in debian
unstable ourselves, to gain deployment experience.

I think the current behavior of gpg1 is unsafe.

> gpg2 (2.1.9-1) gave an error, though a slightly confusing one:
>
>   invalid clearsig header
>   [GNUPG:] PROGRESS need_entropy X 8 16
>   [GNUPG:] PROGRESS need_entropy X 16 16
>   [GNUPG:] PLAINTEXT 74 0 
>   [GNUPG:] NEWSIG
>   gpg: Signature made Wed Nov  4 23:55:23 2015 CET
>   gpg:                using RSA key 0x80132534DD347DC8
>   gpg: WARNING: signature digest conflict in message
>   [GNUPG:] ERRSIG 80132534DD347DC8 1 1 01 1446677723 1
>
> The documentation states it should give an "invalid digest algorithm"
> message.

I'm assuming you did this with a single clearsigned document and not a
detached signature.

This is a bug in gnupg, but only for clearsigned documents, i think.  it
happens because the clearsigned document indicates the digest used at
the top of it, and then the signature follows with the actual digest,
gpg marks it as an "unusable digest" (i forget how, and don't have time
to look it up at the moment).  then it compares the "unusable digest"
with the known digest function and decides that they don't match.

Someone™ should file a bug on the upstream bug tracker
https://bugs.gnupg.org/ to remind them of this, but it's an aesthetic
issue (and lower priority) compared to 1.4.x actually accepting MD5
signatures.

     --dkg

More information about the pkg-gnupg-maint mailing list