gpg --export produces invalid EdDSA output - regression
Marek Marczykowski-Górecki
marmarek at invisiblethingslab.com
Tue Sep 12 17:45:05 CEST 2023
Hello,
GnuPG 2.4.0 produces invalid output when exporting EdDSA key.
Specifically, there is extra padding in the signature. This causes
Sequoia (and maybe others) to reject such key (GnuPG itself accepts it).
The problem does not affect 2.2.40, so this is a regression in some
later version.
This can be reproduced as follows:
wget https://github.com/QubesOS/qubes-qubes-release/raw/main/RPM-GPG-KEY-qubes-4.2-templates-community
mkdir ~/test
gpg --homedir ~/test --import RPM-GPG-KEY-qubes-4.2-templates-community
With 2.2.4:
[user at disp6884 gnupg-2.2.40]$ g10/gpg --homedir ~/test --export |sq packet dump -x
Public-Key Packet, old CTB, 2 header bytes + 51 bytes
Version: 4
Creation time: 2023-03-14 14:35:36 UTC
Pk algo: EdDSA
Pk size: 256 bits
Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
KeyID: 08D08ABE6D5C71B3
00000000 98 CTB
00000001 33 length
00000002 04 version
00000003 64 10 86 38 creation_time
00000007 16 pk_algo
00000008 09 curve_len
00000009 2b 06 01 04 01 da 47 curve
00000010 0f 01
00000012 01 07 eddsa_public_len
00000014 40 a8 b6 69 8c 05 70 46 52 b5 2d 5d eddsa_public
00000020 08 e7 71 d8 b9 5f a6 e5 24 5b 33 e5 35 1c 5c 0b
00000030 d9 96 ad bc c7
User ID Packet, old CTB, 2 header bytes + 52 bytes
Value: Qubes OS Release 4.2 Community Templates Signing Key
00000000 b4 CTB
00000001 34 length
00000002 51 75 62 65 73 20 4f 53 20 52 65 6c 65 61 value
00000010 73 65 20 34 2e 32 20 43 6f 6d 6d 75 6e 69 74 79
00000020 20 54 65 6d 70 6c 61 74 65 73 20 53 69 67 6e 69
00000030 6e 67 20 4b 65 79
Signature Packet, old CTB, 2 header bytes + 146 bytes
Version: 4
Type: PositiveCertification
Pk algo: EdDSA
Hash algo: SHA512
Hashed area:
Issuer Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
Signature creation time: 2023-03-14 15:17:16 UTC
Key flags: CS
Symmetric algo preferences: AES256, AES192, AES128, TripleDES
AEAD preferences: OCB
Hash preferences: SHA512, SHA384, SHA256, SHA224, SHA1
Compression preferences: Zlib, BZip2, Zip
Features: MDC, AEAD, #2
Keyserver preferences: no modify
Unhashed area:
Issuer: 08D08ABE6D5C71B3
Digest prefix: 1631
Level: 0 (signature over data)
00000000 88 CTB
00000001 92 length
00000002 04 version
00000003 13 type
00000004 16 pk_algo
00000005 0a hash_algo
00000006 00 3b hashed_area_len
00000008 16 subpacket length
00000009 21 subpacket tag
0000000a 04 version
0000000b 8f 24 d3 88 c9 issuer fp
00000010 da 21 a5 5d 7d bc 8f 08 d0 8a be 6d 5c 71 b3
0000001f 05 subpacket length
00000020 02 subpacket tag
00000021 64 10 8f fc sig creation time
00000025 02 subpacket length
00000026 1b subpacket tag
00000027 03 key flags
00000028 05 subpacket length
00000029 0b subpacket tag
0000002a 09 08 07 02 pref sym algos
0000002e 02 subpacket length
0000002f 22 subpacket tag
00000030 02 pref aead algos
00000031 06 subpacket length
00000032 15 subpacket tag
00000033 0a 09 08 0b 02 pref hash algos
00000038 04 subpacket length
00000039 16 subpacket tag
0000003a 02 03 01 pref compression algos
0000003d 02 subpacket length
0000003e 1e subpacket tag
0000003f 07 features
00000040 02 subpacket length
00000041 17 subpacket tag
00000042 80 key server pref
00000043 00 0a unhashed_area_len
00000045 09 subpacket length
00000046 10 subpacket tag
00000047 08 d0 8a be 6d 5c 71 b3 issuer
0000004f 16 digest_prefix1
00000050 31 digest_prefix2
00000051 01 00 eddsa_sig_r_len
00000053 87 ab 4e 3a a8 4b 13 19 7f 39 21 4a ef eddsa_sig_r
00000060 7e 87 10 74 27 82 50 9b 14 54 c3 1c 1f 58 34 09
00000070 b5 2f 27
00000073 00 f8 eddsa_sig_s_len
00000075 b2 c7 d6 0d 3e 23 40 41 fe 8e 9c eddsa_sig_s
00000080 51 28 21 a0 31 b7 ca 55 9c b3 a3 6a 70 d9 ca d0
00000090 c7 bd eb 0f
With 2.4.0:
[user at disp6884 gnupg-2.4.0]$ g10/gpg --homedir ~/test --export |sq packet dump -x
Public-Key Packet, old CTB, 2 header bytes + 51 bytes
Version: 4
Creation time: 2023-03-14 14:35:36 UTC
Pk algo: EdDSA
Pk size: 256 bits
Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
KeyID: 08D08ABE6D5C71B3
00000000 98 CTB
00000001 33 length
00000002 04 version
00000003 64 10 86 38 creation_time
00000007 16 pk_algo
00000008 09 curve_len
00000009 2b 06 01 04 01 da 47 curve
00000010 0f 01
00000012 01 07 eddsa_public_len
00000014 40 a8 b6 69 8c 05 70 46 52 b5 2d 5d eddsa_public
00000020 08 e7 71 d8 b9 5f a6 e5 24 5b 33 e5 35 1c 5c 0b
00000030 d9 96 ad bc c7
User ID Packet, old CTB, 2 header bytes + 52 bytes
Value: Qubes OS Release 4.2 Community Templates Signing Key
00000000 b4 CTB
00000001 34 length
00000002 51 75 62 65 73 20 4f 53 20 52 65 6c 65 61 value
00000010 73 65 20 34 2e 32 20 43 6f 6d 6d 75 6e 69 74 79
00000020 20 54 65 6d 70 6c 61 74 65 73 20 53 69 67 6e 69
00000030 6e 67 20 4b 65 79
Unknown or Unsupported Packet, old CTB, 2 header bytes + 147 bytes
Tag: Signature Packet
Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in 0 (0)
00000000 88 CTB
00000001 93 length
00000002 04 version
00000003 13 type
00000004 16 pk_algo
00000005 0a hash_algo
00000006 00 3b hashed_area_len
00000008 16 subpacket length
00000009 21 subpacket tag
0000000a 04 version
0000000b 8f 24 d3 88 c9 issuer fp
00000010 da 21 a5 5d 7d bc 8f 08 d0 8a be 6d 5c 71 b3
0000001f 05 subpacket length
00000020 02 subpacket tag
00000021 64 10 8f fc sig creation time
00000025 02 subpacket length
00000026 1b subpacket tag
00000027 03 key flags
00000028 05 subpacket length
00000029 0b subpacket tag
0000002a 09 08 07 02 pref sym algos
0000002e 02 subpacket length
0000002f 22 subpacket tag
00000030 02 pref aead algos
00000031 06 subpacket length
00000032 15 subpacket tag
00000033 0a 09 08 0b 02 pref hash algos
00000038 04 subpacket length
00000039 16 subpacket tag
0000003a 02 03 01 pref compression algos
0000003d 02 subpacket length
0000003e 1e subpacket tag
0000003f 07 features
00000040 02 subpacket length
00000041 17 subpacket tag
00000042 80 key server pref
00000043 00 0a unhashed_area_len
00000045 09 subpacket length
00000046 10 subpacket tag
00000047 08 d0 8a be 6d 5c 71 b3 issuer
0000004f 16 digest_prefix1
00000050 31 digest_prefix2
00000051 01 00 eddsa_sig_r_len
00000053 87 ab 4e 3a a8 4b 13 19 7f 39 21 4a ef eddsa_sig_r
00000060 7e 87 10 74 27 82 50 9b 14 54 c3 1c 1f 58 34 09
00000070 b5 2f 27
00000073 01 00 00 b2 c7 d6 0d 3e 23 40 41 fe 8e .......>#@A..
00000080 9c 51 28 21 a0 31 b7 ca 55 9c b3 a3 6a 70 d9 ca .Q(!.1..U...jp..
00000090 d0 c7 bd eb 0f .....
Some more details about similar/related issues can be found at:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/1053
https://github.com/rpm-software-management/dnf/issues/1974
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230912/5f12390e/attachment-0001.sig>
More information about the Gnupg-devel
mailing list