gpg --export produces invalid EdDSA output - regression

Werner Koch wk at
Thu Sep 14 14:11:52 CEST 2023


The issue you mention has been discussed in length and Gniibe actually
took over my place in the "crypto-refresh" design team to help clarify
the interpretation of the MPI (which they unfortunatley ignored).  MPIs
in OpenPGP are signed and thus may need a zero prefix byte because
negative numbers are nowhere used.  The solution is to specify a new
type (SOS) at least in certain parts of the protocol.  This must of
course be done in a backward compatible way given that ed25519 is in use
since 2014.

GnuPG 2.2 is older and and does not yet use the SOS which is the reason
for the different encodings you see.  In short, there is no bug but
implementations need to follow this advice

1. OpenPGP implementations should implement:

    Recovery of leading zero octets for Ed25519 key handling (secret
    part) and Ed25519 signature

2. OpenPGP implementations are expected to accept:

    Malformed MPI (with leading zero octet(s)), which is valid in SOS
    For secret part of Ed25519/Curve25519/X448/Ed448 key and for
    signature value S.




The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list