[pgp-keyserver-folk] keyids in signatures getting corrupted, GPG and/or Debian problem?

Jason Harris jharris at widomaker.com
Fri Apr 9 16:43:42 CEST 2004 

On Fri, Apr 09, 2004 at 09:15:03AM -0400, John Belmonte wrote:
> Jason Harris wrote:

> >I've just noticed some signatures with their keyids changed to
> >0x0910 in the last two bytes.  Both keys I've noticed this on
> >so far have been submitted directly to kjsl from different
> >machines/users, and I believe both users use GPG. The "mangled"

> My key (keyID 0x4C40410A) has the corruption you describe.  From memory 
> and looking at the output of "gpg --list-keys -v", here is some relevant 
> history:
> 
>     * 2003-12-06 -- I added a new user ID to my key (john at neggie.net), 
> set the new ID as primary, and sent the key to pgp.mit.edu (to be 
> merged).  At this time, the corrupt signature appeared on my former 
> primary ID (jvb at prairienet.org).  I believe I was using gnupg 1.2.3.

From my log (keyserver.kjsl.com):

[Sun Dec  7 xx:xx:01 2003] mail_req: request received from PGP Key Server Administrator <bug-pks mit.edu>: incremental
[Sun Dec  7 xx:xx:01 2003] kd_add: flags=100000
[Sun Dec  7 xx:xx:01 2003] display_new_sig: new sig 1 by 4C40410A added to 4C40410A John V. Belmonte <jvb ibm.net>
[Sun Dec  7 xx:xx:01 2003] display_new_sig: new sig 2 by 4C40410A added to 4C40410A John V. Belmonte <jvb ibm.net>
[Sun Dec  7 xx:xx:01 2003] display_new_sig: new sig 3 by 4C40410A added to 4C40410A John V. Belmonte <jvb prairien...
[Sun Dec  7 xx:xx:01 2003] display_new_userid: new userid 1 on key 4C40410A: John V. Belmonte <john neggie.net>
[Sun Dec  7 xx:xx:01 2003] display_new_sig: new sig 4 by 4C40410A added to 4C40410A John V. Belmonte <john nanaon-...
[Sun Dec  7 xx:xx:01 2003] display_new_sig: new subkey sig by 4C40410A added to 4C40410A
[Sun Dec  7 xx:xx:01 2003] kd_sync: completed successfully
[Sun Dec  7 xx:xx:01 2003] kd_add: pub+0 dksigs+0 subu=1 sig+4 uid+1 uid=1 rev+0

This shows your new userid (new userid 1, uid+1), and that the first
userid packet was new/changed (uid=1), but not the packet in question.

>     * 2004-02-18 -- I think I noticed that my previous setting of the 
> primary ID did not take affect (gpg was probably confused by two user 
> ID's being marked primary), so I set it again.  Only the 
> jvb at prairienet.org ID got a new signature, which makes sense.  I also 
> added another new user ID (jbelmonte at debian.org).  No new corruption.  I 
> was using gnupg 1.2.4.

I got the new userid, but still not the packet in question (TZ=PST8PDT):

[Tue Feb 17 23:19:00 2004] mail_req: request received from PGP Key Server Administrator <bug-pks mit.edu>: incremental
[Tue Feb 17 23:19:00 2004] kd_add: flags=100000
[Tue Feb 17 23:19:00 2004] display_new_userid: new userid 1 on key 4C40410A: John V. Belmonte <jbelmonte debian.org>
[Tue Feb 17 23:19:02 2004] kd_sync: completed successfully
[Tue Feb 17 23:19:02 2004] kd_add: pub+0 dksigs+0 subu=0 sig+0 uid+1 uid=1 rev+0

It arrives over two months later than when you thought it was generated,
and from a different keyserver than you submitted your Debian userid to,
as well as several minutes after that submission was processed:

[Tue Feb 17 23:31:00 2004] mail_req: request received from sks keyserver.bu.edu: incremental
[Tue Feb 17 23:31:00 2004] kd_add: flags=100000
[Tue Feb 17 23:31:00 2004] display_new_sig: new sig 1 by 4C400910 added to 4C40410A John V. Belmonte <jvb prairien...
[Tue Feb 17 23:31:00 2004] kd_sync: completed successfully
[Tue Feb 17 23:31:00 2004] kd_add: pub+0 dksigs+0 subu=0 sig+1 uid+0 uid=1 rev+0
 
> I suspect the bug is (or was) in gnupg.  If 1.2.3 exhibited the problem 

The bogus packet could have been generated at any time after the good
signature from 2003-12-06 was made available (to anyone else), but it
doesn't seem to have been submitted to a keyserver by you.

Yaron, will you inquire about the log(s) for keyserver.bu.edu?
It seems like someone submitted the bogus packet via HKP to bu.edu
about 10 minutes after John sent his Debian userid to mit.edu.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : /pipermail/attachments/20040409/ef367adc/attachment.bin

More information about the Gnupg-devel mailing list