gpg --export produces invalid EdDSA output - regression

Marek Marczykowski-Górecki marmarek at invisiblethingslab.com
Tue Sep 12 17:45:05 CEST 2023


Hello,

GnuPG 2.4.0 produces invalid output when exporting EdDSA key.
Specifically, there is extra padding in the signature. This causes
Sequoia (and maybe others) to reject such key (GnuPG itself accepts it).

The problem does not affect 2.2.40, so this is a regression in some
later version.

This can be reproduced as follows:

wget https://github.com/QubesOS/qubes-qubes-release/raw/main/RPM-GPG-KEY-qubes-4.2-templates-community
mkdir ~/test
gpg --homedir ~/test --import RPM-GPG-KEY-qubes-4.2-templates-community

With 2.2.4:

[user at disp6884 gnupg-2.2.40]$ g10/gpg --homedir ~/test --export |sq packet dump -x
Public-Key Packet, old CTB, 2 header bytes + 51 bytes
    Version: 4
    Creation time: 2023-03-14 14:35:36 UTC
    Pk algo: EdDSA
    Pk size: 256 bits
    Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
    KeyID: 08D08ABE6D5C71B3
  
    00000000  98                                                 CTB
    00000001     33                                              length
    00000002        04                                           version
    00000003           64 10 86 38                               creation_time
    00000007                       16                            pk_algo
    00000008                           09                        curve_len
    00000009                              2b 06 01 04 01 da 47   curve
    00000010  0f 01
    00000012        01 07                                        eddsa_public_len
    00000014              40 a8 b6 69  8c 05 70 46 52 b5 2d 5d   eddsa_public
    00000020  08 e7 71 d8 b9 5f a6 e5  24 5b 33 e5 35 1c 5c 0b
    00000030  d9 96 ad bc c7
  
User ID Packet, old CTB, 2 header bytes + 52 bytes
    Value: Qubes OS Release 4.2 Community Templates Signing Key
  
    00000000  b4                                                 CTB
    00000001     34                                              length
    00000002        51 75 62 65 73 20  4f 53 20 52 65 6c 65 61   value
    00000010  73 65 20 34 2e 32 20 43  6f 6d 6d 75 6e 69 74 79
    00000020  20 54 65 6d 70 6c 61 74  65 73 20 53 69 67 6e 69
    00000030  6e 67 20 4b 65 79
  
Signature Packet, old CTB, 2 header bytes + 146 bytes
    Version: 4
    Type: PositiveCertification
    Pk algo: EdDSA
    Hash algo: SHA512
    Hashed area:
      Issuer Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
      Signature creation time: 2023-03-14 15:17:16 UTC
      Key flags: CS
      Symmetric algo preferences: AES256, AES192, AES128, TripleDES
      AEAD preferences: OCB
      Hash preferences: SHA512, SHA384, SHA256, SHA224, SHA1
      Compression preferences: Zlib, BZip2, Zip
      Features: MDC, AEAD, #2
      Keyserver preferences: no modify
    Unhashed area:
      Issuer: 08D08ABE6D5C71B3
    Digest prefix: 1631
    Level: 0 (signature over data)
  
    00000000  88                                                 CTB
    00000001     92                                              length
    00000002        04                                           version
    00000003           13                                        type
    00000004              16                                     pk_algo
    00000005                 0a                                  hash_algo
    00000006                    00 3b                            hashed_area_len
    00000008                           16                        subpacket length
    00000009                              21                     subpacket tag
    0000000a                                 04                  version
    0000000b                                    8f 24 d3 88 c9   issuer fp
    00000010  da 21 a5 5d 7d bc 8f 08  d0 8a be 6d 5c 71 b3
    0000001f                                                05   subpacket length
    00000020  02                                                 subpacket tag
    00000021     64 10 8f fc                                     sig creation time
    00000025                 02                                  subpacket length
    00000026                    1b                               subpacket tag
    00000027                       03                            key flags
    00000028                           05                        subpacket length
    00000029                              0b                     subpacket tag
    0000002a                                 09 08 07 02         pref sym algos
    0000002e                                             02      subpacket length
    0000002f                                                22   subpacket tag
    00000030  02                                                 pref aead algos
    00000031     06                                              subpacket length
    00000032        15                                           subpacket tag
    00000033           0a 09 08 0b 02                            pref hash algos
    00000038                           04                        subpacket length
    00000039                              16                     subpacket tag
    0000003a                                 02 03 01            pref compression algos
    0000003d                                          02         subpacket length
    0000003e                                             1e      subpacket tag
    0000003f                                                07   features
    00000040  02                                                 subpacket length
    00000041     17                                              subpacket tag
    00000042        80                                           key server pref
    00000043           00 0a                                     unhashed_area_len
    00000045                 09                                  subpacket length
    00000046                    10                               subpacket tag
    00000047                       08  d0 8a be 6d 5c 71 b3      issuer
    0000004f                                                16   digest_prefix1
    00000050  31                                                 digest_prefix2
    00000051     01 00                                           eddsa_sig_r_len
    00000053           87 ab 4e 3a a8  4b 13 19 7f 39 21 4a ef   eddsa_sig_r
    00000060  7e 87 10 74 27 82 50 9b  14 54 c3 1c 1f 58 34 09
    00000070  b5 2f 27
    00000073           00 f8                                     eddsa_sig_s_len
    00000075                 b2 c7 d6  0d 3e 23 40 41 fe 8e 9c   eddsa_sig_s
    00000080  51 28 21 a0 31 b7 ca 55  9c b3 a3 6a 70 d9 ca d0
    00000090  c7 bd eb 0f
  

With 2.4.0:

[user at disp6884 gnupg-2.4.0]$ g10/gpg --homedir ~/test --export |sq packet dump -x
Public-Key Packet, old CTB, 2 header bytes + 51 bytes
    Version: 4
    Creation time: 2023-03-14 14:35:36 UTC
    Pk algo: EdDSA
    Pk size: 256 bits
    Fingerprint: 8F24D388C9DA21A55D7DBC8F08D08ABE6D5C71B3
    KeyID: 08D08ABE6D5C71B3
  
    00000000  98                                                 CTB
    00000001     33                                              length
    00000002        04                                           version
    00000003           64 10 86 38                               creation_time
    00000007                       16                            pk_algo
    00000008                           09                        curve_len
    00000009                              2b 06 01 04 01 da 47   curve
    00000010  0f 01
    00000012        01 07                                        eddsa_public_len
    00000014              40 a8 b6 69  8c 05 70 46 52 b5 2d 5d   eddsa_public
    00000020  08 e7 71 d8 b9 5f a6 e5  24 5b 33 e5 35 1c 5c 0b
    00000030  d9 96 ad bc c7
  
User ID Packet, old CTB, 2 header bytes + 52 bytes
    Value: Qubes OS Release 4.2 Community Templates Signing Key
  
    00000000  b4                                                 CTB
    00000001     34                                              length
    00000002        51 75 62 65 73 20  4f 53 20 52 65 6c 65 61   value
    00000010  73 65 20 34 2e 32 20 43  6f 6d 6d 75 6e 69 74 79
    00000020  20 54 65 6d 70 6c 61 74  65 73 20 53 69 67 6e 69
    00000030  6e 67 20 4b 65 79
  
Unknown or Unsupported Packet, old CTB, 2 header bytes + 147 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in        0 (0)
  
    00000000  88                                                 CTB
    00000001     93                                              length
    00000002        04                                           version
    00000003           13                                        type
    00000004              16                                     pk_algo
    00000005                 0a                                  hash_algo
    00000006                    00 3b                            hashed_area_len
    00000008                           16                        subpacket length
    00000009                              21                     subpacket tag
    0000000a                                 04                  version
    0000000b                                    8f 24 d3 88 c9   issuer fp
    00000010  da 21 a5 5d 7d bc 8f 08  d0 8a be 6d 5c 71 b3
    0000001f                                                05   subpacket length
    00000020  02                                                 subpacket tag
    00000021     64 10 8f fc                                     sig creation time
    00000025                 02                                  subpacket length
    00000026                    1b                               subpacket tag
    00000027                       03                            key flags
    00000028                           05                        subpacket length
    00000029                              0b                     subpacket tag
    0000002a                                 09 08 07 02         pref sym algos
    0000002e                                             02      subpacket length
    0000002f                                                22   subpacket tag
    00000030  02                                                 pref aead algos
    00000031     06                                              subpacket length
    00000032        15                                           subpacket tag
    00000033           0a 09 08 0b 02                            pref hash algos
    00000038                           04                        subpacket length
    00000039                              16                     subpacket tag
    0000003a                                 02 03 01            pref compression algos
    0000003d                                          02         subpacket length
    0000003e                                             1e      subpacket tag
    0000003f                                                07   features
    00000040  02                                                 subpacket length
    00000041     17                                              subpacket tag
    00000042        80                                           key server pref
    00000043           00 0a                                     unhashed_area_len
    00000045                 09                                  subpacket length
    00000046                    10                               subpacket tag
    00000047                       08  d0 8a be 6d 5c 71 b3      issuer
    0000004f                                                16   digest_prefix1
    00000050  31                                                 digest_prefix2
    00000051     01 00                                           eddsa_sig_r_len
    00000053           87 ab 4e 3a a8  4b 13 19 7f 39 21 4a ef   eddsa_sig_r
    00000060  7e 87 10 74 27 82 50 9b  14 54 c3 1c 1f 58 34 09
    00000070  b5 2f 27
    00000073           01 00 00 b2 c7  d6 0d 3e 23 40 41 fe 8e      .......>#@A..
    00000080  9c 51 28 21 a0 31 b7 ca  55 9c b3 a3 6a 70 d9 ca   .Q(!.1..U...jp..
    00000090  d0 c7 bd eb 0f                                     .....


Some more details about similar/related issues can be found at:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/1053
https://github.com/rpm-software-management/dnf/issues/1974


-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230912/5f12390e/attachment-0001.sig>


More information about the Gnupg-devel mailing list