Invalid cross certification?

Robert J. Hansen rjh at sixdemonbag.org
Tue Apr 8 17:35:31 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm beginning to do my own testing of GnuPG 2.0.9, and I'm seeing
something a bit odd.  I have a message encrypted and signed to myself
which GnuPG 1.4.9 decrypts and verifies correctly.  GnuPG 2.0.9 gives a
warning about there being an invalid cross-certification.

Googling was not especially helpful.  Checking the source code,
sig-check.c turned out to have the most useful bit of information:

/* Check the backsig.  This is a 0x19 signature from the
~   subkey on the primary key.  The idea here is that it should
~   not be possible for someone to "steal" subkeys and claim
~   them as their own.  The attacker couldn't actually use the
~   subkey, but they could try and claim ownership of any
~   signaures issued by it. */

So the obvious questions:

1.  If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is
there this difference in functionality?

2.  How is it possible to put an 0x19 signature on the primary key from
the subkey, in order to get rid of this error message?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iFYEAREIAAYFAkf7kMMACgkQf2XByo0Cu7PJRADfVUbPPX0AaqMmQTvS8vKLSU4L
G9b2D6QqQS9H/gDfUDOtXYOBQbeVn+hJp6te7IlClAQ75wFHdPQuTYkBHAQBAQgA
BgUCR/uQwwAKCRC3APSC/q+BCV7DB/9MUUKtRF3AR7QJY/HyhIoCY97jQOrmQhL0
+gao8vq/DPUj+1WcfbR4hG4eGbs3Xj20b7HTmj3X8Jjx/jiXWP82qbk7npwAmtyz
2KtHiEUz7iC/Glv2Tlgz0tPCGIVIpq5wOzZHm38mgge/S4WgRpC+Y7QOG3X/m7TZ
Agy3jUKkiHd4fiAHxHQxIQj07M+L9AbHVawGr3ptmjSXJRp5enCBHyOHo7ex++fH
IKD/whulUPQG09K7VnzDYqgT+VsPSpJ4yTjWGktTNJwdcg1WbuXxzrFyYrty6xot
S1X7llqKy+glW97XFytMBl3AUSYjPcPk7lxQ7UB7vF1jft26jwtJ
=rmQg
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list