Page MenuHome GnuPG
Create Task
Maniphest T5655

In -de-vs mode it is not possible so verify sigs with Ed25519 release keys.
Closed, ResolvedPublic
Actions

Description

This is a practical problem for customers of GnuPG VS-Desktop, where the compliance mode is globally configured.

gpg should not bail out here but verify the signature and print a notice. For script compatibility an extra option might be useful.

Revisions and Commits

rG GnuPG
rGaecebdf7050c gpg: Replace --override-compliance-check by a real fix.
rGd98bf02a0363 gpg: Replace --override-compliance-check by a real fix.
rG773b8fbbe915 gpg: New option --override-compliance-check
rGfb26e144adfd gpg: New option --override-compliance-check

Related Objects

Event Timeline

werner triaged this task as High priority.Oct 13 2021, 3:01 PM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
ikloecker added a subscriber: ikloecker.Oct 13 2021, 5:05 PM

Wouldn't it be safer to use gpgv for verifying the signature than to add a code path to gpg to circumvent the hard de-vs compliance check?

werner added a commit: rGfb26e144adfd: gpg: New option --override-compliance-check.Oct 13 2021, 5:27 PM
werner added a commit: rG773b8fbbe915: gpg: New option --override-compliance-check.Oct 13 2021, 5:39 PM
werner closed this task as Resolved.Oct 20 2021, 12:21 PM
werner claimed this task.

Yes, but it is more complicated to do because you need to download a binary version of the keys and check that they are authentic. Most users don't known it. Anyway, I meanwhile created a Brainpool release sign key and new VSD releases are signed with that. The override option does not really harm, but we can close this bug due to the new release key.

werner mentioned this in T5641: Release GnuPG 2.2.33.Nov 23 2021, 11:56 AM
werner mentioned this in T5654: Release GnuPG 2.3.4.Dec 20 2021, 11:08 PM
werner mentioned this in T6173: Invalid signing-key when doing a signature-check of GnuPG installer-packages, signed by Werner Koch's signing-key in de-vs Mode (aka VS-NfD Mode).Aug 30 2022, 5:19 PM
werner added a commit: rGd98bf02a0363: gpg: Replace --override-compliance-check by a real fix..Jan 20 2023, 11:07 AM
werner added a commit: rGaecebdf7050c: gpg: Replace --override-compliance-check by a real fix..Jan 20 2023, 11:13 AM
werner added a comment.Jan 20 2023, 11:15 AM

The introduction of --override-compliance-check actually hid the real
cause for the signature verification problem in de-vs mode for the
Ed25519 key. The real fix is to handle the EdDSA algorithm in
gnupg_pk_is_allowed.

Fixed for 2.2.42 and 2.4.1.

werner mentioned this in T6454: Release GnuPG 2.4.1.Apr 28 2023, 2:45 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 24 2023, 2:12 PM