Page MenuHome GnuPG

GnuPG fails to verify signatures that have a issuer fingerprint but no issuer subpacket
Closed, ResolvedPublic

Description

RFC4880bis says:

5.2.3.28.  Issuer Fingerprint

 (1 octet key version number, N octets of fingerprint)

 The OpenPGP Key fingerprint of the key issuing the signature.  This
 subpacket SHOULD be included in all signatures.  If the version of
 the issuing key is 4 and an Issuer subpacket is also included in the
 signature, the key ID of the Issuer subpacket MUST match the low 64
 bits of the fingerprint.

That suggests that the Issuer subpacket is optional, and indeed it MUST NOT be included in v5 signatures. However, GnuPG fails to verify signatures that have a issuer fingerprint but no issuer subpacket:

% gpg --verify hello.asc
gpg: assuming signed data in 'hello'
gpg: Signature made Thu 28 Jun 2018 04:43:00 PM CEST
gpg:                using RSA key CF23490B0F78B850BBBC7369D120B626ECABF51D
gpg: Can't check signature: No public key
% gpg --list-packets hello.asc
# off=0 ctb=c2 tag=2 hlen=2 plen=169 new-ctb
:signature packet: algo 1, keyid 0000000000000000
        version 4, created 1530196980, md5len 0, sigclass 0x00
        digest algo 10, begin of digest d8 9b
        critical hashed subpkt 2 len 4 (sig created 2018-06-28)
        critical hashed subpkt 33 len 21 (issuer fpr v4 CF23490B0F78B850BBBC7369D120B626ECABF51D)
        data: [1022 bits]
% gpg --version
gpg (GnuPG) 2.2.8
libgcrypt 1.8.3
...

The signature is made using the "Test three (no pp) <three@example.com>" key from the GnuPG test suite. I'll attach the files and the key to the issue.

Details

Version
2.2.8

Event Timeline

justus created this object in space S1 Public.

Attaching files is gone, but here they are inline:

% cat hello
hello
% cat hello.asc
-----BEGIN PGP MESSAGE-----

wqkEAAEKAB0Fgls08/QWoQTPI0kLD3i4ULu8c2nRILYm7Kv1HQAA2JsD/isSJ18E
uqIGkGqOnaegLRm5h3ne3MiA+L2JJQgQ+K9XEyyZiNwrynBZJywWXggnUUO0DViC
nczYOLF9tCCKgJwcz6XFLg1csGoD7x2BsNdb2vhwrXPqD7nXkY3Bs5ZSAF74Jd/5
UENj8U97Q1/aarm1BkLU6oUf/HVtaf0em/pe
=KJu2
-----END PGP MESSAGE-----
% cat /tmp/CF23490B0F78B850BBBC7369D120B626ECABF51D.asc 
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQHWBD/yU70BBACoUlZ27OTXX+bQBz8r+ZpvSTPOvdRSivVuTGHi9zEkc5NkXdr1
jq3VZSnCU5d4I2Rj3y1FhSDoDjTAWCQrP/iN05qIO0dbZs6qu8mYn/Af/nN2YOm2
G7nckSBdQo//6PZ1+u9hNljHLabXUMDrxAr2I9IGaSyCUUxATYglq3AQAQAJAQEA
A/i8oAFEhft21Q6bbLpXIawRITkPhgjUCEvQRah23zgQ8RS8LWjrVS5hsB7bwkgf
CMgoMuAOJ51nqFMFXcrlwjVoUcvjbWEMTSq0P6ZVmFxEadHZEeGv2Bfqpf7g/yZX
TDWeF1KHBSGUU7Ua7BDb91YrBh1cZsNbs/nwsiK50Za5AgDDPFgGOZa9WXUqq9/a
zap7S2aqF1TuDYm3eU8N6P9yTFSf8RKjMpK7nXvO55TwgCTD5V/YIz9Qee1JkcTf
JhjZAgDctZRfAPGvQ4vUwxG4uso9nbCtFlGYZTQgMPHfMFflUyxH9Y0zA8ujyKKY
FPYXt7Pe6Y+qqu6BG0mPqvIXe3dpAf4p+y32myNaSakGsQ732PgarqitgefN3h9K
ec4kS/j85t1esYEbC9XlFluVcIUDaQHdKFpijCl6eC2oFXOkPRwJnqe0JlRlc3Qg
dGhyZWUgKG5vIHBwKSA8dGhyZWVAZXhhbXBsZS5jb20+iLUEEwECAB8FAj/yU70C
GwMHCwkIBwMCAQMVAgMDFgIBAh4BAheAAAoJENEgtibsq/UdakMD/2wg19VhpNbt
M5CiVif1V57h945OmXr5Lh2SAsI5agMb9XXuT9yXsmv+JD5hEE6LRL98XAwGfvaQ
S9062aJQCocZAWdPJeEEsu+pMn/IQdHqGdkr7Oy6xjwSa+gh19JMg4mqR4AIQSkK
vRoTSqSAGbi+gytnTmkA7aEUltogdYeJ
=y+Ii
-----END PGP PRIVATE KEY BLOCK-----
werner triaged this task as Normal priority.Jun 28 2018, 9:11 PM

Thanks. The entire getkey.c code better needs a complete overhaul for before we add v5 keys.