un-trusting MD5 in gpg [was: Re: removing SHA1 from digest preference list]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue May 5 20:50:42 CEST 2009

On 05/03/2009 11:11 PM, David Shaw wrote:
> On May 3, 2009, at 10:44 PM, David Shaw wrote:
>> Try this patch (against the 1.4 branch):
> Better patch:

I ended up patching gnupg2 (i'm running debian, and have gpg1 and gpg2
installed side by side).  The patch i ultimately used was:

--- gnupg2-2.0.11.orig/g10/sig-check.c
+++ gnupg2-2.0.11/g10/sig-check.c
@@ -66,6 +66,9 @@
     PKT_public_key *pk = xmalloc_clear( sizeof *pk );
     int rc=0;

+    if(sig->digest_algo==DIGEST_ALGO_MD5)
+      return G10ERR_DIGEST_ALGO;
     if ( (rc=openpgp_md_test_algo(sig->digest_algo)) )
       ; /* We don't have this digest. */
     else if ((rc=openpgp_pk_test_algo(sig->pubkey_algo)))
@@ -529,6 +532,9 @@
     sig = node->pkt->pkt.signature;
     algo = sig->digest_algo;

+    if(algo==DIGEST_ALGO_MD5)
+      return G10ERR_DIGEST_ALGO;
     /* Check whether we have cached the result of a previous signature
        check.  Note that we may no longer have the pubkey or hash
        needed to verify a sig, but can still use the cached value.  A

And it seems to work as expected.  That is, i can still use "gpg2
--print-md md5", but when looking at certifications rejects signatures
made with md5 like this:

sig%         6241B82D 2000-10-05  [Invalid digest algorithm]

And when i test an inline signature over MD5, i see the following
difference in behavior (gpg is not modified, gpg2 is):

> 0 dkg at pip:/tmp/cdtemp.RD4NL4$ gpg --verify test.asc 
> gpg: Signature made Tue 05 May 2009 02:31:43 PM EDT using RSA key ID D21739E9
> gpg: Good signature from "Daniel Kahn Gillmor <dkg at fifthhorseman.net>" [ultimate]
> gpg:                 aka "Daniel Kahn Gillmor <dkg at astro.columbia.edu>" [ultimate]
> gpg:                 aka "Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net>" [ultimate]
> gpg:                 aka "Daniel Kahn Gillmor <dkg at openflows.com>" [ultimate]
> gpg:                 aka "[jpeg image of size 3515]" [ultimate]
> 0 dkg at pip:/tmp/cdtemp.RD4NL4$ gpg2 --verify test.asc 
> gpg: Signature made Tue 05 May 2009 02:31:43 PM EDT using RSA key ID D21739E9
> gpg: Can't check signature: Invalid digest algorithm
> 2 dkg at pip:/tmp/cdtemp.RD4NL4$ 

So I'll modify gpg1 with a similar patch shortly to see what i can learn
from living with this patch in daily use.

Longer term: instead of the test patch hardcoding a rejection of MD5
signatures, it'd be preferable to have a configurable list of digests
which are untrusted for signatures and/or certifications.

Perhaps instead of --disable-digest-algo (which, by analog with cipher
and pubkey, would completely remove the digest), we should consider
--no-trust-digest-algo to form a list of deprecated digests.

the man page might read something like:

 --trust-digest-algo name
 --no-trust-digest-algo name
      Trust (or not) signatures made over a digest algorithm of *name*.
      Untrusted digests can still be computed in other contexts, but
      certifications and data signatures made over untrusted digests
      will be considered invalid.  By default, all implemented digest
      algorithms are trusted.

This way, if we later decide to disable trust in MD5 by default, users
who really want MD5 could re-enable it with --trust-digest-algo.

Any thoughts on this?  I'm leery of adding Yet Another Option to gpg,
but i think this might be needed.  I'd be interested in other proposals too.

And last: is there any reason to add an additional error value to cover
these semantics (e.g. G10_ERR_INSECURE_DIGEST_ALGO), or is
G10_ERR_DIGEST_ALGO sufficient?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090505/95b589a5/attachment.pgp>

More information about the Gnupg-devel mailing list