[pkg-gnupg-maint] Bug#1087821: gpg: rewrites some Ed25519 OpenPGP signature packets
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Nov 19 07:06:27 GMT 2024
Package: gpg
Version: 2.4.6-1
Severity: normal
Control: forwarded -1 https://dev.gnupg.org/T7403
the version of gpg in experimental (2.4.6-1) currently rewrites OpenPGP
signature packets if they're made with Ed25519, and they have less than
256 bits in either R or S. It rewrites them to a form that is in
contravention of every OpenPGP RFC (and the LibrePGP Internet Draft as
well), because the high bit of R or S is cleared, but the MPI length
octets are malformed. Signatures of this structure are likely to cause
crashes in some other OpenPGP implementations.
2.2.45-2 (in unstable) does not have this misbehavior. In fact,
2.2.45-2 corrects malformed MPIs so that they are correctly formed.
This means that OpenPGP certificates ("transferable public keys" or "key
blocks") will actually be rewritten each time they are exchanged between
2.4.6 and 2.2.45, which is deeply weird. We should avoid introducing
the kinds of malformed output produced by 2.4.6 into the larger OpenPGP
ecosystem.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20241119/d72746b2/attachment.sig>
More information about the pkg-gnupg-maint
mailing list