Summary
I have setup a public key for Alice that has one valid signature from Bob and
one invalid signature from Mallory. If you are the real Mallory with her secret
key, GnuPG will behave like you have already signed Alice's public key (even if
that signature is bogus).
Steps To Reproduce
- Import Alice's key that has a fake signature from Mallory (same as Bug 1).
$ gpg2 --check-sigs
/home/user/testring/pubring.gpg
pub 2048R/65B57FDF 2015-04-01
uid Bob User (Good Signature) <bob+goodsig@example.com>
sig!3 65B57FDF 2015-04-01 Bob User (Good Signature)
<bob+goodsig@example.com>
sub 2048R/83518D34 2015-04-01
sig! 65B57FDF 2015-04-01 Bob User (Good Signature)
<bob+goodsig@example.com>
pub 2048R/B8062D4C 2015-04-01
uid Mallory User (Bad Signature) <mallory+badsig@example.com>
sig!3 B8062D4C 2015-04-01 Mallory User (Bad Signature)
<mallory+badsig@example.com>
sub 2048R/FDE6C57B 2015-04-01
sig! B8062D4C 2015-04-01 Mallory User (Bad Signature)
<mallory+badsig@example.com>
pub 2048R/A5452207 2015-04-01
uid Alice User (Signature Test) <alice+sigtest@example.com>
sig!3 A5452207 2015-04-01 Alice User (Signature Test)
<alice+sigtest@example.com>
sig! 65B57FDF 2015-04-01 Bob User (Good Signature)
<bob+goodsig@example.com>
sig- B8062D4C 2015-04-01 Mallory User (Bad Signature)
<mallory+badsig@example.com>
sub 2048R/0BE64ECE 2015-04-01
sig! A5452207 2015-04-01 Alice User (Signature Test)
<alice+sigtest@example.com>
1 bad signature
- Have Mallory's secret key.
$ gpg2 --list-secret-keys
/home/user/testring/secring.gpg
sec 2048R/B8062D4C 2015-04-01
uid Mallory User (Bad Signature) <mallory+badsig@example.com>
ssb 2048R/FDE6C57B 2015-04-01
- GnuPG will act as if Mallory has already signed Alice's public key.
$ gpg2 --sign-key A5452207
pub 2048R/A5452207 created: 2015-04-01 expires: never usage: SC
trust: unknown validity: unknownsub 2048R/0BE64ECE created: 2015-04-01 expires: never usage: E
[ unknown] (1). Alice User (Signature Test) <alice+sigtest@example.com>"Alice User (Signature Test) <alice+sigtest@example.com>" was already signed
by key B8062D4C
Nothing to sign with key B8062D4C
Key not changed so no update needed.
What Should Happen
GnuPG should verify the signature is valid before acting as if Alice's key is
already signed by Mallory.