Page MenuHome GnuPG

Possibly incompatible Ed25519 signature between other implementations and 2.3-bata
Open, NormalPublic

Description

GnuPG 2.3 may produce incompatible Ed25519 signature.

That's because the signature in Ed25519 is composed by R and S, where:

  • R is an EC point
  • S is an integer (little-endian)

And R is encoded **without the 0x40" in OpenPGP.

In GnuPG 2.2 currently, when it is written out, leading zero-bytes are removed (to avoid malformed MPI in OpenPGP).
When it is read, GnuPG (both of 2.2 and 2.3-beta), recovers this leading zero-bytes.

Event Timeline

We could add compatibility mode for Ed25519 signature to conform well-formed MPI (expecting recovery).

Here are example files produced by GnuPG 2.3-beta:
S part has preceding zero:


R part has preceding zero:

GnuPG 2.2 can handle those files correctly, but never produces such preceding zeros.

========= 0110.asc ==========
# off=0 ctb=88 tag=2 hlen=2 plen=117
:signature packet: algo 22, keyid E267B052364F028D
	version 4, created 1614755507, md5len 0, sigclass 0x01
	digest algo 10, begin of digest 4f 78
	hashed subpkt 33 len 21 (issuer fpr v4 249CB3771750745D5CDD323CE267B052364F028D)
	hashed subpkt 2 len 4 (sig created 2021-03-03)
	subpkt 16 len 8 (issuer key ID E267B052364F028D)
	data: ADEE890B755C3B52D46FB0105097F23B5905B472C626222ACB4E441D8EB40001
	data: 007119FF80C34DA152BDB07E1EF5D968CB9F2773002A0CF57911670BE248CF06
========= 0354.asc ==========
# off=0 ctb=88 tag=2 hlen=2 plen=117
:signature packet: algo 22, keyid E267B052364F028D
	version 4, created 1614755520, md5len 0, sigclass 0x01
	digest algo 10, begin of digest 28 19
	hashed subpkt 33 len 21 (issuer fpr v4 249CB3771750745D5CDD323CE267B052364F028D)
	hashed subpkt 2 len 4 (sig created 2021-03-03)
	subpkt 16 len 8 (issuer key ID E267B052364F028D)
	data: 001DB3839E3FD8D4CB81357EE5E42F4AF652C252A03A0FB21768621B1025C08C
	data: AF5A0910EF1D4D6BDD07EA0AA6D69049CB7BA7ED42427E14B8B72CF2C2231704
gniibe renamed this task from Incompatible Ed25519 signature between GnuPG 2.2 and 2.3-bata to Possibly incompatible Ed25519 signature between other implementations and 2.3-bata.Mar 3 2021, 8:50 AM