Bad signatures issued on macOS
Jordan Martinez
jordan.martinez at arista.com
Wed Mar 11 18:12:08 CET 2026
Please see https://github.com/jam-awake/gpg-verify-bug
It provides a reproducible repo. It demonstrates 4 RSA freshly-generated
keys (public and private) that are not expired, not revoked, and have
varying levels of key length which reproduce this issue.
On Mon, Feb 23, 2026 at 6:30 PM NIIBE Yutaka <gniibe at fsij.org> wrote:
> Jordan Martinez wrote:
> > Using 2.5.17, I tried verifying the same signature 100 times via a script
> > and got a bad signature on each attempt. Here's how I ran such a test.
> Let
> > me know whether or not this is a valid test run.
>
> It is a valid test run.
>
> My debug showed that the key used for signature validation was wrong for
> some reason. I was not possible to determine why wrong key was selected.
>
> If it is possible to share the public key in question (6E628CC4145FD2ED)
> and the signature (a single signature is enough) with input, please send
> me those. ** Please never send the private key. **
>
> # I tried to find the key on public keyservers and WKD, but it's not
> # available.
>
>
> If it is not possible, please investigate the public key.
>
> * Is the subkey expired?
> * Is the subkey revoked?
> * Is the subkey qualified for modern use cases?
> (For example, it's possible to have short key length in current
> standard.)
>
> I think that one of those could be a reason why wrong key was selected.
> There might be other possibilities.
> --
>
--
Blessings,
Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260311/a313fb75/attachment.html>
More information about the Gnupg-users
mailing list