gpg --export produces invalid EdDSA output - regression

Werner Koch wk at
Thu Sep 14 15:49:47 CEST 2023

On Thu, 14 Sep 2023 14:34, Marek Marczykowski-Górecki said:

> Hmm, but the RFC seems to specify it as unsigned, not signed:

Sure - mail edit error on my part.

> Given the above, I'm not sure if that's really necessary. But even if it
> is, it isn't "backward compatible" change, since standard
> respecting-compliant implementation is expected to treat leading zeroes
> as malformed.

The problem here is that this is not a number.  The MPI requirement has
been ignored since the introduction of RFC-6637 (ECC for OpenPGP) in
PGP, GnuPG and other implementation with support for ECC.

> My reading of the above is rather "an OpenPGP implementation that wants
> to be compatible with GnuPG should also accept MPI that is not compliant
> with the OpenPGP specification"... Have I missed some part of the spec?

A specification and the actual practise almost always differ. Even if
the author of RFC-6637 also did the implementation for PGP and GnuPG.
It is a specification bug and newer implementations need to cope with
the reality.

> Is this new "SOS" type described in some specification?


>> (see

and of course the code.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list