Page MenuHome GnuPG
Create Task
Maniphest T5403

Consider all Issuer subpackets when validating a signature
Closed, InvalidPublic
Actions

Description

A signature may have multiple issuer subpackets. Supporting this may be useful to accelerate the adoption of v5-based certificates. Alice could convert her v4 certificate to a v5 certificate without retiring her v4 certificate, and her OpenPGP implementation could add both keyids to the signature. Then, when Bob tries to validate a signature from Alice, his implementation can still validate it even if his OpenPGP implementation only understands v4 certificates or only has the v4 variant. I've attached an example certificate, which gpg is unable to import.

$ gpg --import multiple-issuer-subpacket.pgp
gpg: key 0xFBF21AC90EC54370: 4 signatures not checked due to missing keys
gpg: key 0xFBF21AC90EC54370: new key but contains no user ID - skipped
gpg: key 0xFBF21AC90EC54370: failed to re-lookup public key: No public key
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg:       secret keys read: 1
$ gpg --list-packets multiple-issuer-subpacket.pgp
# off=0 ctb=c5 tag=5 hlen=2 plen=88 new-ctb
:secret key packet:
	version 4, algo 22, created 1618909780, expires 0
	pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
	pkey[1]: [263 bits]
	skey[2]: [256 bits]
	checksum: 0f75
	keyid: FBF21AC90EC54370
# off=90 ctb=c2 tag=2 hlen=3 plen=196 new-ctb
:signature packet: algo 22, keyid 0123456789ABCDEF
	version 4, created 1618909780, md5len 0, sigclass 0x1f
	digest algo 10, begin of digest 1b db
	critical hashed subpkt 2 len 4 (sig created 2021-04-20)
	critical hashed subpkt 9 len 4 (key expires after 3y0d17h26m)
	hashed subpkt 11 len 2 (pref-sym-algos: 9 7)
	hashed subpkt 16 len 8 (issuer key ID 0123456789ABCDEF)
	hashed subpkt 16 len 8 (issuer key ID FBF21AC90EC54370)
	hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable])
	hashed subpkt 21 len 2 (pref-hash-algos: 10 8)
	critical hashed subpkt 27 len 1 (key flags: 01)
	hashed subpkt 30 len 1 (features: 01)
	data: [256 bits]
	data: [256 bits]
...

Details

Version
2.2.20

Event Timeline

neal created this task.Apr 20 2021, 11:11 AM
neal added a comment.Apr 20 2021, 11:14 AM
This comment was removed by neal.
werner triaged this task as Low priority.Apr 20 2021, 11:48 AM
werner edited projects, added Feature Request, OpenPGP; removed Bug Report.
neal added a comment.Apr 20 2021, 11:54 AM

I just realized that my example is incorrect. It doesn't make sense to support multiple issuer subpackets on self signatures. But it is useful to do so on binary signatures and third-party certifications. Here's a better example, which gpg correctly supports. As such, this issue should be closed. Sorry for the noise.

$ sq armor alice.pgp
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQVYBGB+ohYBDAC2FL0xv2/7YRyAtjkROZA3C971FKsHbufkmkqZWKV3vFdTxeG1
St8pGQ2w587Hzy4JSZl2j7y68mxG0Cw/eoYAWNo9LQZwOS6U6NWU5OyhwjDyh+mp
d6Pdvd3czLzozEIHxE5Bv40KOKKkub5eZbzGhgtYywbYEmlzaTofaFelZOmRxlo6
M64wKDEMPfP7nxFwsgA/v/21c6rUm3f9186zwkm0ObrD1D1lHjjNVdYHN4SU6+aG
lGb4bdkNaIVt1+HFGGiyBi4PgRDqXrV7AiFgh9hCuaoxSdTd+5Jd05looXzEkoz5
aPvhCAnobZgLEICiDhkgMV6QZUQed/U4IC+1WtsdJRzTnHa1WQa5lJoFZIZM2h3c
/6DYGqgBUqwjQUOIIuvweHDqgkWd0rt5uHh/MF6r9zynGaOqaenXWnYjCG0aRwtP
dKCMsGVFyMN6Z885EXjdYfk1sE2p2QvhGde9LN916yBPyDroABgRvETHAn+rWUD2
Y0Qfs4VzzWWG3X8AEQEAAQAL/iouF74EiR6E2qN+ky3IVf5Kg7XmudAZAyNUEt//
RyW7vccsWiMzWwscQK2wpZhoCFQidqiel6v/KNImu3lhGtXNv5DYc1tgA8h/P6sk
dSTr5YbpsVmO26ksqM7TpxeO6eT+ttpIU5YAlLzwQod/rgGXX92L+uPnMAKKZ+qK
s3MfM3SPrKs6+akyRlp9p52stc+TjLc39MAqMXLbKSrm6X1/Dq/vh7KB4k8gdywq
LFCzrcUJ+PdIPapjWBrhEbfmgIQiRIi0P0SruCuiknH5CAz9X0IW4JsAMmyPfKEn
obLuage9LvyyAQsc9KASTLgo19MFSORBW4DsfdiL+AjpdzOYbjLqXN170bBjI9+2
Lrwo3vHurVLXYP7eqyCoE5/fUnYwScbCvqqNIfh3iIOXvHmJvF7+HAY3Uke0vWZR
jyiI6q1/U2z+xLpZkDja0LhgNr5IBRCRYCMzXksvCBjQsdfIbhKZ4N21joM2K29h
pXE3NRQC9NHTwRRpT49KsdgIQQYAwnZrCb6ZPu4YkZpGBzlnzMLycABBcIURS22Q
Fs00vkjuebkwvHvVtTjsVK6MLzS5++j+eAetc0vGr2cSd3p8I/8eB/AsNpX2LZtn
KVpFJk/eRYEK0AsZVpvbNxyUNccLJfbtub67kEW518hoimcZMcTuOJdGwZjpI7sD
/yUNB5siIvzEsYrbPCyqX68LqN2JWzrCH5reQlHC+696M9oHjb0n1VIQqQODFuoi
svdcXa9q7XV8ViycwJyVavAlZiURBgDvs0ey/Z/toK6AcrhsEfCMFvpnaWdfU3Xk
m2k5+CWxZHG5tq38xC29f1QgH9JAD3EPNe8X0b5Lia1fQKEcSMF6XVxffdrubIgU
ujZ27w08TQZGLrIaD+Hh4nRxqkS21A5FMK5nndynKihT7RoxHAUAW0DR5UFDtJaG
bg+2TLkIIqyxCu0kKmyzyyXuph5rx1QW/QBz0DLrN2WByvODWbxqNoYJE30ggWah
OD66T98FhhnHoqqcfoExYwURfkxBmY8GAJkq2JEXt7m1WgoYYZ7A+vdy3oVQU8CG
f9S7yxbA6mUzE0eXRjaGPc1ySZU8twHzeZ8TKgpCxH4qTPOdFxlNcHQvNNJ/C2wN
tuB//u+IEUe9HnDZ0t4dV2HLZ5lALwYZLH8l7uF9ep70gwADnUK0Cq/ebK9yB0R4
E7aAZJVLaWpOm1hydHnFl0vu/x3R2V61wIoVZDmnRgjzkAfBYO5xxGXphlZQb24S
vslmS28Ww6qViJHggLKTBEURTco0L3yRStFAtBM8YWxpY2VAZXhhbXBsZS5vcmc+
iQHRBBMBCgA7FiEEx5ZuPnzmfbvs5fwVTirZRM/HjIYFAmB+ohYCGwMFCQPCZwAI
CwkIBw0MCwoFFQoJCAsCHgECF4AACgkQTirZRM/HjIZilAv+N3QpoZkDI4tPXfVY
6ir5ABAQfGyMbyKwY9qjGQacPBR784HH4ABnu9qxR5HCqRtXJhwxaj8CzKY7yzGf
19af+iWOgqE+Mb2kTQ4IzqUAZocSlJ5wwSyGbYTnCrGuGWtyCIhXrxSaUZZ4S/M+
ZdbctLpkThOIS02oPI7tvtstjl9a1olfTk2pTkB6eqqFOyKKc1qw+p9kutfITrcb
02qE9pjmHMBwB+uffzX94XEGsjXWa+9wsxExKayzBL28nUFkMbWQ9gvFvdEJPeHI
blwxhzeRw8F3GNbLWXKh7TMhbnAjfEgkkItTTRWSvs2vzPeP9l0Dlj4GUxMeSxlR
B53+mibvoX7AcENR2mxFRP61Bp8B8FwXAPc+4aZeQsdA+L9+Pta7HjCG3MCT+FPW
w0wlMivJlBE0v0y283vxmFSSJXcuXdU7T0k+PZsyFxusjCUdlgaZAauLqDuDEOdZ
NszzWjQlKg8ipBeHhXoZrCw9YAeLfFJj7RTmTO+1RQZyHhPZnQVYBGB+ohYBDAC5
7fMzSlUpbYstf6mSJsoZO1o1/2WE2AD39lT998LR/ffoKul9Yajo2FVB+KDtUlbm
5p4xgDI5fF8KrxFXpff5Im2X4KIO8OAr8SY9+tnRDs0b8PPrJZMGGNamPoVx3RoT
teuh0rdEz3Qi+sdNMbK6UNOWSKm9JGyDOEn2t3p/+08j8+JBpRPnLJqCiv+jdZfC
9EjpiBGcIkk9lGFxHyiAT2pJTFeBcLab6ecxQ8NDTXA7kV4jVzpaxYmFp/aCK+xR
8uYh8erfbyTQ38fDiUlXdQf9IuZT9hU2Kz7YnKeP1h9+FKzcAux5eqvy30fgkAYe
lh86vWAoQWbN9b1nJ3JqRl9HZMyaxQ8wAI9ulZIqGwL6mXXUM16d102VEdE+gUqG
ujUqhcHFc856yowWoSLM9Tk/TejMLb9mLyNGCuP83fSe4aZNV9yn3jlCS4Q4Zxqz
6tWsXvu17RtuFbanoTLAuTGWwVqDJBNIMI8nEcBnoz79zaYGZVbktWf+HHSGHGkA
EQEAAQAL/A+dbE9ibsSL7qRjlFox58c2tNzUFjKR8YLhrUGnDTWVnrxg3jspeIYV
pRNlTh6gS6wYsjB2E8HAMDs1eL9jsO+7dHjM5M9ca3dFSXDrIF/uXkt6cQHOpgpd
C6nqlkp5xzbgkGmGyN1+jsJhTVuuUNRU9XApqhe4d2SN1ahiwGb/NCZQ1S+uLX28
wT01b0LLHXPCEF2Mj+4M8xm43HYjp8Me6E4/mxnD3ZI6krAQgNWmK0bVbpKJQN1e
ua3/7TQBfDK04zgj8QZG2aJ7hCsI6Vv4vlRgdSAwjudg+cL/jjmL5cQTLGxWdTXF
dlb+V4E8xBzmn/FNucSeoVedVYjVMP7ifQrasTHWBpGf7HVszSVVGlgLh656+cO3
qwUU42UVEbliXopXiBGoJOcTX7ftHE9Uc9yfKSagACRtR3l0tkgXXMF10ET2MHFP
4zUn1XdGH1OfSWdR0Ym3mINIos0CXxj9KQEKTE220d/n+5VHt+CqsdDZIFKOlRk9
/DQBuw+4AQYAz57b6imb7uBiSpCxiyyNOQx1/jOvwcs4J1WArJshAf1U4AHx5DU+
DxOVL3WHmYojaZZnmTNUZ+BQGbOzt1RG2pj5pNV3wxo8fG4b988vHNFdDqOmlUC+
FBzZpN/wgit9Au/VFEmWr6OownuSWr1dAMM54q26dZ6aMSyn+O71AVGd8UgZ2w2G
SvQCh3hnyn38E5tQIAe2o7M40QQABr9DD+rMjufhOKMUf1/iNSfmjXiZw3Xc7Y/A
DSMWBSz8zDTFBgDlQSjeJaZHQttklLsf8J+c0oKAeq2cUlj3xVFV/b9u3Unf49LN
/rnA+d/bwOQEl39H2SqccDqGr7Hy1MZsWWkjm7naA5uznErnXPVyn5HWHQMT338n
Ap2fPjuIA1gV/O2WNGzkF5dPGwFKhze4UPiRXoAOWHh81Mi42b329f4D2AUmyFoV
tf4zOaGoc1x4iNAIj6j2PM+yi6RXD/EoFXdZKpS+BYEauw+WfwZf5kMi+ihpdj4i
j0eYLB0K5Fklq1UF/0VgTAXrwy4rUtKRKB8Gnyd1St0NxixARfgkqJQcg98buWrz
8vIbOblvVK57x/yHNw1NqfDJJB+yrvsXSd/Ym6dYJnR/GfWUmkcYNjNErlIP4sZJ
/j38BooqwjmEfeUbnU/Hl1maWw4EDlqkUmbumM3NgYNqLVTL/EJG/L/7DzOxAG8i
Zo9J8K5TwZKYeniLUYtzSH4iImgujmYfIBvNoqd0GywGHufG5+krN6GG6BtvODW8
UeTpDGVCU6ZvcntFbNeXiQG2BBgBCgAgFiEEx5ZuPnzmfbvs5fwVTirZRM/HjIYF
AmB+ohYCGwwACgkQTirZRM/HjIYDBgv9EzbHllHb1E7Kx8t1Eu404xGRpbrIEggm
3iElLJulcr+hhoqLdtvb2fVQ932UBO5Kp56W9gvHU1lFGagv541bsGtj33HRKL9C
pU+l4+OlQhJ0p7+SHkiCAi/GwZ4H0gwU3YxaxlhZ1eIXgHCy/oiUzF1XZZ3O/GZm
27zew9T2XhMjk3yvpOvwoqKcpG2cux5ZAHukkZhAmC8w5dglRfV4vw2zGiNlYmLx
tZPdgAV3y9p9hHguTfnXq1Ia0Tr9Oax5Maf24o09Z3wxAp/f+AaIiuQhnuulSULj
8J+a1ugw90WuPrGapMPphT7jsSfng7Oq55lwr2JDZjwoNDaUpW/bDwdsxEiP0mbN
hrOqpJqZz5m+BiwaJaoEqgCEKgtAWLjbSFaZ5lm1Kcr23iAhVIjDL8HMvM9cQwnt
OrZ+pMOkZrBHsYQo6LsUGwj4uB9OMf5dbpAAjfHIFBn2XBs0dqS4zSSbAph+IKov
GVPRWlyHnZKV22GBjlIvX64XjODKo9Lo
=fzDq
-----END PGP PRIVATE KEY BLOCK-----
$ cat msg.sig 
-----BEGIN PGP SIGNATURE-----

wsFFBAABCgB5BYJgfqOoCRABI0VniavN7wkQTirZRM/HjIZHFAAAAAAAHgAgc2Fs
dEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnuNMxVTz/SgEpSAseODzeQTUP9Hcy
i0Fn1JNHa9F2xfAWIQTHlm4+fOZ9u+zl/BVOKtlEz8eMhgAA67ML/iZjlHlpsyUS
r57ayv28OgH4W8NdfB/Qx9wVCfcMImqmIuxA6fyd7NDzcCwleO7/UlG4sPsyQyr+
doM6mdh9vXIwVDyK5Ou5opDWQ+7S+GroFAyuFIiKqX6jSL8iZekK7L7KS90uz3hW
WyxQd6Kz0clOVym0yrfsCsJMUV4Way9cqgZE8uid5PFM7OZFT5m9t2XXMwFcLZix
Kdb34x5tMQ1XnBPjDansTVPxOgjja2SDVc6fp5v9J4mZ9qNIvNMsL3mnFIezGB51
L4BVzmL5060MJU4AsEZxoYGGqi2CWxqgYlzSIDix9RYQw6zNF11MKHJS/NYY7aqS
MsdPi5JHeOcwKvUk9RKQK5xenCFv2trkRs/akuv8fYPjpSgcrdx1ufBuFB51Pd4N
DaaxT1LPh55vkluj6qK4ci81LL5VDC13bWrTnFP4a0HBtJz9rN78ebAZ/tLD13Kn
VHFbLVw0lmkhcmPH1NTJwKX8vwI9PYaWpokp4QpiFMlLiZiB/L11ig==
=fDY0
-----END PGP SIGNATURE-----
$ gpg --list-packets msg.sig 
# off=0 ctb=c2 tag=2 hlen=3 plen=517 new-ctb
:signature packet: algo 1, keyid 0123456789ABCDEF
	version 4, created 1618912168, md5len 0, sigclass 0x00
	digest algo 10, begin of digest eb b3
	critical hashed subpkt 2 len 4 (sig created 2021-04-20)
	hashed subpkt 16 len 8 (issuer key ID 0123456789ABCDEF)
	hashed subpkt 16 len 8 (issuer key ID 4E2AD944CFC78C86)
	hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable])
	hashed subpkt 33 len 21 (issuer fpr v4 C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86)
	data: [3070 bits]
$ gpg --verify msg.sig msg.txt 
gpg: Signature made Tue 20 Apr 2021 11:49:28 AM CEST
gpg:                using RSA key C7966E3E7CE67DBBECE5FC154E2AD944CFC78C86
gpg: Good signature from "<alice@example.org>" [ultimate]
Primary key fingerprint: C796 6E3E 7CE6 7DBB ECE5  FC15 4E2A D944 CFC7 8C86
neal closed this task as Invalid.Apr 20 2021, 11:54 AM