[Announce] False positive signature verification in GnuPG

Werner Koch wk at gnupg.org
Wed Feb 15 08:49:25 CET 2006

           False positive signature verification in GnuPG


The Gentoo project identified a security related bug in GnuPG.  When
using any current version of GnuPG for unattended signature
verification (e.g. by scripts and mail programs), false positive
signature verification of detached signatures may occur.

This problem affects the tool *gpgv*, as well as using "gpg --verify"
to imitate gpgv, if only the exit code of the process is used to
decide whether a detached signature is valid.  This is a plausible
mode of operation for gpgv.

If, as suggested, the --status-fd generated output is used to decide
whether a signature is valid, no problem exists.  In particular
applications making use of the GPGME library[2] are not affected.

To solve this problem an update of the current stable version has been
released (see below).

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Signature verification of detached signatures does not work, thus
modified versions of signature protected files may not be detected.

All versions of gnupg prior to are affected if they are used
in certain unattended operation modes.

There is no problem using GnuPG in an interactive way because GnuPG
won't print any signature status at all; i.e. no "Good signature".

Scripts and applications using gpg or gpgv with the --status-fd option
and properly parsing this output are not affected.

Applications using the GPGME library[2] are not affected.

The GnuPG versions 1.9 are not affected unless the currently
deprecated gpg part has been enabled.


Update GnuPG as soon as possible to version  There are no
fixes for older versions available, although the fix described below
may be adjusted for them.

To update please follow the instructions found at
http://www.gnupg.org/download/ or read on:

GnuPG may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
available at ftp.gnu.org.

On the mirrors you should find the following files in the *gnupg*

  gnupg- (2.8M)

      GnuPG source compressed using BZIP2 and OpenPGP signature.

  gnupg- (4.0M)

      GnuPG source compressed using GZIP and OpenPGP signature.

  gnupg-1.4.2- (39k)

      A patch file to upgrade a 1.4.2 GnuPG source. 

Select one of them. To shorten the download time, you probably want to
get the BZIP2 compressed file.  Please try another mirror if
exceptional your mirror is not yet up to date.

In the *binary* directory, you should find these files:

  gnupg-w32cli- (1.4M)

      GnuPG compiled for Microsoft Windows and OpenPGP signature.
      Note that this is a command line version and now comes with a
      graphical installer tool.  The source files are the same as
      given above.  Note, that a new version of the Gpg4Win
      package[3], including an updated version of GnuPG, will be
      available later today.

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg- you would use this command:

     gpg --verify gnupg-

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using "finger wk
   'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the
   keyservers.  From time to time I prolong the expiration date; thus
   you might need a fresh copy of that key.

   Never use a GnuPG version you just downloaded to check the
   integrity of the source - use an existing GnuPG installation!
   Watch out for a "Good signature" messages.

 * If you are not able to use an old version of GnuPG, you have to
   verify the SHA-1 checksum.  Assuming you downloaded the file
   gnupg-, you would run the sha1sum command like this:

     sha1sum gnupg-

   and check that the output matches the first line from the
   following list:

1c0306ade25154743d6f6f9ac05bee74c55c6eda  gnupg-
cefc74560f21bde74eed298d86460612cd7e12ee  gnupg-
98d597b1a9871b4aadc820d8641b36ce09125612  gnupg-1.4.2-
a4db35a72d72df8e76751adc6f013b4c96112fd4  gnupg-w32cli-


If a file with arbitrary data, for example 64 times the character
0xCA, is used as the detached signature, any data file will lead to
gpg exiting with 0 (success).  There won't be any messages indicating
that the signature is valid or false:

  $ fortune >x.txt
  $ perl -e 'print "\xca"x"64"' >x.txt.sig
  $ gpgv x.txt.sig x.txt
  $ echo $?

Cleary this should not return success.

The same problem appears when using "gpg --verify" in place of gpgv.
However in this case any application should to do further checks to
make sure that the key verifying the signature is actually the desired
one, thus using "gpg --verify" without processing the --status-fd
generated output is in general the wrong approach.

The fixed version makes sure that gpgv and "gpg --verify" won't return
success if no signature has been seen.  A minimal but sufficient fix
against 1.4.2 and possible older versions is:

--- g10/mainproc.c	(revision 4001)
+++ g10/mainproc.c	(working copy)
@@ -77,6 +77,7 @@
         int op;
         int stop_now;
     } pipemode;
+    int any_sig_seen;  /* Set to true if a signature packet has been seen. */
@@ -217,6 +218,7 @@
     KBNODE node;
+    c->any_sig_seen = 1;
     if( pkt->pkttype == PKT_SIGNATURE && !c->list ) {
 	/* This is the first signature for the following datafile.
 	 * GPG does not write such packets; instead it always uses
@@ -1137,6 +1139,18 @@
     c->signed_data = signedfiles;
     c->sigfilename = sigfilename;
     rc = do_proc_packets( c, a );
+    /* If we have not encountered any signature we print an error
+       messages, send a NODATA status back and return an error code.
+       Using log_error is required because verify_files does not check
+       error codes for each file but we want to terminate the process
+       with an error. */ 
+    if (!rc && !c->any_sig_seen)
+      {
+ 	 write_status_text (STATUS_NODATA, "4");
+        log_error (_("no signature found\n"));
+        rc = -1;
+      }
     m_free( c );
     return rc;

Note that the released version also includes a test case for this bug
and prints an additional diagnostic.  With the patch above the output
using the same test data as above should be:

  $ gpgv x.txt.sig x.txt
  gpgv: no signature found
  gpgv: verify signatures failed: eof
  $ echo $?


taviso from the Gentoo project found this vulnerability and informed
me on Monday evening.  Unfortunately I had already switched off my
monitor at that time.  The update has been released yesterday evening



[1] http://lists.gnupg.org/mailman/listinfo/gnupg-devel
[2] http://www.gnupg.org/related_software/gpgme
[3] http://www.gpg4win.org

Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org
Join the Fellowship and protect your Freedom!    http://www.fsfe.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 199 bytes
Desc: not available
Url : /pipermail/attachments/20060215/aa7a9a51/attachment.pgp

More information about the Gnupg-announce mailing list