Invalid cross certification?
Robert J. Hansen
rjh at sixdemonbag.org
Tue Apr 8 17:35:31 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
I'm beginning to do my own testing of GnuPG 2.0.9, and I'm seeing
something a bit odd. I have a message encrypted and signed to myself
which GnuPG 1.4.9 decrypts and verifies correctly. GnuPG 2.0.9 gives a
warning about there being an invalid cross-certification.
Googling was not especially helpful. Checking the source code,
sig-check.c turned out to have the most useful bit of information:
/* Check the backsig. This is a 0x19 signature from the
~ subkey on the primary key. The idea here is that it should
~ not be possible for someone to "steal" subkeys and claim
~ them as their own. The attacker couldn't actually use the
~ subkey, but they could try and claim ownership of any
~ signaures issued by it. */
So the obvious questions:
1. If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is
there this difference in functionality?
2. How is it possible to put an 0x19 signature on the primary key from
the subkey, in order to get rid of this error message?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users