Forging key signatures with collisions
Georgi Guninski
guninski at guninski.com
Fri Jun 22 16:16:48 CEST 2012
This is getting stranger...
The primary colliding key appears unusable if it is imported second.
But if i create a subkey in it (using tricks) the subkey appears signed by
the wrong user. Have the private key for it, but can't make signatures yet
(maybe gpg needs more patching). If i can make a signature with the subkey
it might be reported by the wrong user (probably with the correct keyid):
$gpg --import < /tmp/fake4
$gpg --check-sigs --keyid-f long
pub 2047R/251BEFF479164387 2012-06-22
uid fake 4 <f at f4>
sig!3 251BEFF479164387 2012-06-22 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub 2047R/251BEFF479164387 2012-06-22
sig! 251BEFF479164387 2012-06-22 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub 2048R/99270C331D426C85 2012-06-22
sig! 251BEFF479164387 2012-06-22 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com> # 99... doesn't collide with anything to my knowledge and the secret key is available.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fake4
Type: application/octet-stream
Size: 1679 bytes
Desc: not available
URL: </pipermail/attachments/20120622/0899b330/attachment.obj>
More information about the Gnupg-devel
mailing list