Page MenuHome GnuPG
Create Task
Maniphest T5331

Possibly incompatible Ed25519 signature between other implementations and 2.3-bata
Closed, ResolvedPublic
Actions

Description

GnuPG 2.3 may produce incompatible Ed25519 signature.

That's because the signature in Ed25519 is composed by R and S, where:

  • R is an EC point
  • S is an integer (little-endian)

And R is encoded without the 0x40 in OpenPGP.

In GnuPG 2.2 currently, when it is written out, leading zero-bytes are removed (to avoid malformed MPI in OpenPGP).
When it is read, GnuPG (both of 2.2 and 2.3-beta), recovers this leading zero-bytes.

Revisions and Commits

rG GnuPG
rG61ac580a2075 gpg: Emit compatible Ed25519 signature.

Related Objects
Search...

Event Timeline

gniibe created this task.Mar 1 2021, 9:15 AM
gniibe added a comment.EditedMar 1 2021, 9:30 AM

We could add compatibility mode for Ed25519 signature to conform well-formed MPI (expecting recovery).

gniibe added a comment.Mar 3 2021, 8:22 AM

Here are example files produced by GnuPG 2.3-beta:
S part has preceding zero:

0110.asc316 BDownload

R part has preceding zero:
0354.asc316 BDownload

GnuPG 2.2 can handle those files correctly, but never produces such preceding zeros.

gniibe added a comment.Mar 3 2021, 8:25 AM
========= 0110.asc ==========
# off=0 ctb=88 tag=2 hlen=2 plen=117
:signature packet: algo 22, keyid E267B052364F028D
	version 4, created 1614755507, md5len 0, sigclass 0x01
	digest algo 10, begin of digest 4f 78
	hashed subpkt 33 len 21 (issuer fpr v4 249CB3771750745D5CDD323CE267B052364F028D)
	hashed subpkt 2 len 4 (sig created 2021-03-03)
	subpkt 16 len 8 (issuer key ID E267B052364F028D)
	data: ADEE890B755C3B52D46FB0105097F23B5905B472C626222ACB4E441D8EB40001
	data: 007119FF80C34DA152BDB07E1EF5D968CB9F2773002A0CF57911670BE248CF06
========= 0354.asc ==========
# off=0 ctb=88 tag=2 hlen=2 plen=117
:signature packet: algo 22, keyid E267B052364F028D
	version 4, created 1614755520, md5len 0, sigclass 0x01
	digest algo 10, begin of digest 28 19
	hashed subpkt 33 len 21 (issuer fpr v4 249CB3771750745D5CDD323CE267B052364F028D)
	hashed subpkt 2 len 4 (sig created 2021-03-03)
	subpkt 16 len 8 (issuer key ID E267B052364F028D)
	data: 001DB3839E3FD8D4CB81357EE5E42F4AF652C252A03A0FB21768621B1025C08C
	data: AF5A0910EF1D4D6BDD07EA0AA6D69049CB7BA7ED42427E14B8B72CF2C2231704
gniibe renamed this task from Incompatible Ed25519 signature between GnuPG 2.2 and 2.3-bata to Possibly incompatible Ed25519 signature between other implementations and 2.3-bata.Mar 3 2021, 8:50 AM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).Nov 13 2021, 2:38 PM
gniibe updated the task description. (Show Details)Nov 25 2021, 5:52 AM
gniibe added a comment.EditedNov 25 2021, 6:29 AM

To be conservative, given the situation most implementations already support zero-removal and zero-recovery, it's better to output zero-removed signature, that is, signature with well-formed MPI.

gniibe added a comment.EditedDec 8 2021, 12:20 PM

GnuPG 2.2 does:

  • In g10/sign.c:do_sign, it keeps leading zeros for Ed25519 signature, as opaque MPI
  • In g10/build-packet.c:do_signature which calls gpg_mpi_write to output the (opaque) MPI, leading zeros are removed.

So, in the signature packet, no leading zeros.

gniibe added a comment.Dec 9 2021, 7:30 AM

A patch created:

0001-gpg-Emit-compatible-Ed25519-signature.patch3 KBDownload

gniibe added a comment.Dec 10 2021, 7:44 AM

Adding comments, fixing "const" qualifier, I pushed the change.

gniibe added a project: Restricted Project.Dec 10 2021, 7:45 AM
gniibe added a commit: rG61ac580a2075: gpg: Emit compatible Ed25519 signature..Dec 10 2021, 8:32 AM
werner mentioned this in T5654: Release GnuPG 2.3.4.Dec 20 2021, 11:08 PM
gniibe closed this task as Resolved.Jul 12 2022, 9:14 AM
gniibe removed a project: Restricted Project.