Page MenuHome GnuPG
Create Task
Maniphest T6173

Invalid signing-key when doing a signature-check of GnuPG installer-packages, signed by Werner Koch's signing-key in de-vs Mode (aka VS-NfD Mode)
Closed, ResolvedPublic
Actions

Description

From the point of view of the BSI, Werner Koch uses a non VS-NfD / de-vs compilant Signing-Key for signing the official GnuPG installer-packages.

The reason is that Werner is using the famous "Bernstein-Curve" (Curve 25519) as his pk-algorithm ...

I think it is a good time to ask, when the BSI will accept Curve25519 as a legal VS-NfD / de-vs Algorithm ?

Error-Message:
gpg: Schlüssel "528897B826403ADA" darf zum Signieren im --compliance=de-vs Modus nicht verwendet werden.
gpg: Signatur kann nicht geprüft werden: Ungültiges Public-Key-Verfahren

Best regards,

Macro ripfernmeldegeheimnis: 

Veit Berwig

Related Objects

Event Timeline

vitusb triaged this task as Normal priority.Aug 30 2022, 2:57 PM
vitusb created this task.
vitusb created this object in space S1 Public.
werner edited projects, added workaround, Restricted Project; removed gpg4win.Aug 30 2022, 5:19 PM

In general I use my standard ed25519 signing token for all software. However, GnuPG VS-Desktop is signed using a Brainpool key named GnuPG.com (stored on a smartcard with 2 replicas) for the simple reason that it does not raise questions when ppl update their GnuPG VS-Desktop and run into a non-compliant key.

If you want to check anyway, the option --override-compliance-check can be used. See also T5655.

I am also pretty sure that eventually Ed25519 (aka X25519) will be allowed by FIPS and the BSI.

werner added a comment.Aug 31 2022, 4:55 PM

Small correction: We don't have replicas of our code signing key. I mistook this with out Authenticode signing key.

werner closed this task as Resolved.Sep 2 2022, 3:06 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 24 2023, 2:12 PM