gpgv: timestamps, validity, expiration, and revocation

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Apr 22 20:34:41 CEST 2016 

hey GnuPG folks--

the gpgv man page (in all three supported branches) says:

>  gpgv assumes that all keys in the keyring are trustworthy.  That does
>  also mean that it does not check for expired or revoked keys.

In addition to this, gpgv appears to be OK with signatures made in the
future.

But it's not that gpgv doesn't care about timestamps at all:

 0) it refuses to check signatures made by keys whose certificates
   indicate that they were created in the future (that is, where the key
   was created after "now"), and

 1) it refuses to check signatures where the signature itself appears to
    have been created before the key was created.


The attached tarball contains:

  pubkey.gpg -- a binary-format 2048-bit RSA OpenPGP certificate
  
  C47D9EDFF117EE2AA11B162D017D715B3D0C4AF2.key -- the corresponding
                                                  secret key (for
                                                  reference/experimentation
                                                  only)

  before.txt.asc -- clearsigned message made by the key before
                    certificate creation time

  during.txt.asc -- clearsigned message made by the key between
                    certificate creation and certificate expiration

  after.txt.asc -- clearsigned message made by the key after certificate
                   expiration


of these, gpg approves of during.txt.asc and after.txt.asc, but not
before.txt.asc:

0 dkg at alice:~/gpgv-dates$ gpgv --keyring ./pubkey.gpg before.txt.asc 
gpgv: Signature made Mon 09 Nov 2015 12:00:03 AM EST using RSA key ID 848F642B
gpgv: public key 848F642B is 165 days newer than the signature
gpgv: Can't check signature: Time conflict
2 dkg at alice:~/gpgv-dates$ gpgv --keyring ./pubkey.gpg during.txt.asc 
gpgv: Signature made Fri 22 Apr 2016 02:22:38 PM EDT using RSA key ID 848F642B
gpgv: Good signature from "test user <test at example.org>"
0 dkg at alice:~/gpgv-dates$ gpgv --keyring ./pubkey.gpg after.txt.asc 
gpgv: Signature made Fri 08 Jul 2016 12:00:01 AM EDT using RSA key ID 848F642B
gpgv: Good signature from "test user <test at example.org>"
0 dkg at alice:~/gpgv-dates$ 

I think this is the wrong tradeoff, and not anything that reasonable use
cases would want.

I think gpgv should check for revoked or expired keys; if it assumes
that all keys in the keyring are trustworthy, then why would it not be
willing to rely on those keys' stated (and self-certified) expiration
dates or revocation certificates?

I'm particularly worried about this because i'm hoping that apt (and
other package managers) will move to using gpgv for verification --
there's no reason for a verification-only context (like verifying signed
package manifests) to need to bundle in all the complexity that goes
with secret key handling.  If gpgv doesn't handle these timestamp issues
correctly, then package managers relying on gpgv can be subject to
archive "freezing", slowing, or replay attacks.

Is there a reason to keep the earlier, inconsistent behavior, or should
i file a bug report tracking a fix for this?

If the earlier behavior must remain in place, what is the GnuPG team's
recommendation for systems that just need signature verification but
want to respect expiration, revocation, timestamps, etc?

    --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgv-dates.tgz
Type: application/x-gtar-compressed
Size: 3086 bytes
Desc: not available
URL: </pipermail/attachments/20160422/b8d01c98/attachment.tgz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160422/b8d01c98/attachment.sig>

More information about the Gnupg-devel mailing list