Bug#579898: GnuPG::Signature contains no information about cryptographic validity of the signature [PATCH] [SECURITY]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun May 2 05:13:03 UTC 2010 

Package: libgnupg-interface-perl
Tags: security patch

One of the primary reasons one might want to use GnuPG::Interface is to
examine the cryptographically-valid OpenPGP certifications that bind
User IDs and subkeys to primary keys.

However, GnuPG::Signature has no information about whether a given
signature is in fact cryptographically valid.

Given that it is trivial to create invalid OpenPGP signatures "from" any
key you like and inject them into keyservers (and from there into local
keyrings), this seems like a potential security vulnerability in any
application which uses GnuPG::Interface to examine a list of OpenPGP
certifications.

Attached is a patch which adds new functionality to GnuPG::Signature to
report whether a signature has been computed by GnuPG to be
cryptographically valid or not.

Given that no existing code which relies on GnuPG::Signature currently
uses this functionality, it may be safer to go even further: another
possible patch on top of this would be to only store valid signatures in
the signatures() arrayref of the GnuPG::UserID and GnuPG::SubKey
classes.  (perhaps an "invalid_signatures" arrayref could be added to
these classes if users for some reason wanted access to this kind of
questionable material).

This patch applies after the recent series of patches i've submitted.

	--dkg

PS i can create and publish an invalid certification from any key to any
key if it would be a useful demonstration.  Please let me know if that
is desired as proof of the security concerns around this bug report.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: report_signature_validity.patch
Type: text/x-patch
Size: 3635 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100502/38c5872f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100502/38c5872f/attachment.pgp>

More information about the pkg-perl-maintainers mailing list