[pkg-gnupg-maint] Bug#978630: gnupg: --check-sigs trusts weak digest alg if weak digest was trusted when importing key

Ansgar ansgar at debian.org
Tue Dec 29 12:15:03 GMT 2020 

Package: gnupg
Version: 2.2.20-1
Severity: normal
Tags: upstream

Hi,

gpg --check-sigs seems to trust digest algs depending on what digest
algs were trusted when the key was imported:

I have `weak-digest SHA1` and `weak-digest RIPEMD160` in my gpg.conf
and observed this behavior:

First, importing the key with weak digests allowed:

+---
| $ gpg --delete-key B1AEA6F29103A00A4D5212A15B3C275D60BF72BE
|
| pub  rsa4096/0x5B3C275D60BF72BE 2013-02-24 [...]
|
| Delete this key from the keyring? (y/N) y
| $ gpg --allow-weak-digest-algos --allow-weak-key-signatures  --import /tmp/dada.asc
| gpg: key 0x5B3C275D60BF72BE: 2 signatures not checked due to missing keys
| gpg: key 0x5B3C275D60BF72BE: public key "[...]" imported
| gpg: Total number processed: 1
| gpg:               imported: 1
| gpg: marginals needed: 3  completes needed: 1  trust model: pgp
| gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
| gpg: depth: 1  valid:   5  signed:  11  trust: 0-, 1q, 2n, 0m, 2f, 0u
| gpg: depth: 2  valid:  10  signed:   1  trust: 2-, 0q, 4n, 3m, 1f, 0u
| gpg: next trustdb check due at 2021-03-20
| $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs B1AEA6F29103A00A4D5212A15B3C275D60BF72BE
| pub   rsa4096/0x5B3C275D60BF72BE 2013-02-24 [SC] [expires: 2025-02-23]
|       B1AEA6F29103A00A4D5212A15B3C275D60BF72BE
| uid                   [ unknown] [...]
| sig!3        0x5B3C275D60BF72BE 2020-07-16  [...]
| sig!2        0x69F2FC516EA71993 2020-08-05  [...]
| uid                   [ unknown] [...]
| sig!3        0x5B3C275D60BF72BE 2020-02-21  [...]
| sig!3        0x5B3C275D60BF72BE 2018-02-23  [...]
| sig!3        0x5B3C275D60BF72BE 2013-02-24  [...]
| sig!2        0x69F2FC516EA71993 2020-08-05  [...]
| sub   rsa4096/0xD1660B54B5E3F109 2013-02-24 [E] [expires: 2025-02-23]
| sig!         0x5B3C275D60BF72BE 2020-02-21  [...]
|
| gpg: 7 good signatures
+---

All signatures are fine.  Now try again without the --allow-weak-*
options:

+---
| $ gpg --import /tmp/dada.asc
| gpg: Note: signatures using the SHA1 algorithm are rejected
| gpg: key 0x5B3C275D60BF72BE: 2 signatures not checked due to missing keys
| gpg: key 0x5B3C275D60BF72BE: 4 bad signatures
| gpg: key 0x5B3C275D60BF72BE: public key "[...]" imported
| gpg: Total number processed: 1
| gpg:               imported: 1
| gpg: marginals needed: 3  completes needed: 1  trust model: pgp
| gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
| gpg: depth: 1  valid:   5  signed:   7  trust: 0-, 1q, 2n, 0m, 2f, 0u
| gpg: depth: 2  valid:   7  signed:   2  trust: 0-, 0q, 4n, 2m, 1f, 0u
| gpg: depth: 3  valid:   1  signed:   2  trust: 0-, 0q, 0n, 1m, 0f, 0u
| gpg: next trustdb check due at 2021-03-20
| $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs B1AEA6F29103A00A4D5212A15B3C275D60BF72BE
| gpg: Note: signatures using the SHA1 algorithm are rejected
| pub   rsa4096/0x5B3C275D60BF72BE 2013-02-24 [SC] [expires: 2025-02-23]
|       B1AEA6F29103A00A4D5212A15B3C275D60BF72BE
| uid                   [ unknown] [...]
| sig!3        0x5B3C275D60BF72BE 2020-07-16  [...]
| sig!2        0x69F2FC516EA71993 2020-08-05  [...]
| uid                   [ unknown] [...]
| sig!3        0x5B3C275D60BF72BE 2020-02-21  [...]
| sig%3        0x5B3C275D60BF72BE 2018-02-23  [Invalid digest algorithm]
| sig%3        0x5B3C275D60BF72BE 2013-02-24  [Invalid digest algorithm]
| sig!2        0x69F2FC516EA71993 2020-08-05  [...]
| sub   rsa4096/0xD1660B54B5E3F109 2013-02-24 [E] [expires: 2025-02-23]
| sig!         0x5B3C275D60BF72BE 2020-02-21  [...]
|
| gpg: 5 good signatures
| gpg: 2 signatures not checked due to errors
+---

The same `--check-sigs` command now fails!

`--check-sigs` is documented as "Same as --list-keys, but the key
signatures are verified and listed too", so is supposed to *verify*
the signature.  This should use whatever digest algs are currently
regarded as trustworthy, not what was trustworthy some time ago.

The also says "key signatures are verified", so it shouldn't report on
some possible verification results from the past.

I've attached the key block used for this ("dada.asc").

Ansgar

-- System Information:
Versions of packages gnupg depends on:
ii  dirmngr         2.2.20-1
ii  gnupg-l10n      2.2.20-1
ii  gnupg-utils     2.2.20-1
ii  gpg             2.2.20-1
ii  gpg-agent       2.2.20-1
ii  gpg-wks-client  2.2.20-1
ii  gpg-wks-server  2.2.20-1
ii  gpgsm           2.2.20-1
ii  gpgv            2.2.20-1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dada.asc
Type: application/pgp-keys
Size: 8599 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20201229/bb5bdb11/attachment.key>

More information about the pkg-gnupg-maint mailing list