2.5.5 removes sig on clean that 2.5.4 and earlier kept
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	ametzler1
	Mar 23 2025, 12:49 PM

Description

Hello,
this was reported by Uwe Kleine-König as https://bugs.debian.org/1101007 against a version of gnpg with backported patches. I have checked whether it also applies to 2.5.5.

Given the attached keyring which was generated by running
install -d -m0700 /tmp/GNUPG2/gpghome
/tmp/GNUPG2/2.5.4/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --locate-external-keys u.kleine-koenig(at)baylibre.com tgamblin(at)baylibre.com
/tmp/GNUPG2/2.5.4/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --export --export-options export-clean > exported-clean-2.5.4.gpg

exported-clean-2.5.4.gpg14 KBDownload

gpg 2.5.5 will drop the signature by B0D589D46708EC99 on 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 when run with --export --export-options export-clean:

ametzler@argenau:/tmp/GNUPG2$ rm -rf /tmp/GNUPG2/gpghome ; install -d -m0700 /tmp/GNUPG2/gpghome ; /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.4.gpg --export --export-options export-clean > exported-clean-2.5.5.gpg
gpg: keybox '/tmp/GNUPG2/gpghome/pubring.kbx' created
ametzler@argenau:/tmp/GNUPG2$ /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.4.gpg --list-sigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 | grep B0D589D46708EC99
gpg: /tmp/GNUPG2/gpghome/trustdb.gpg: trustdb created
sig B0D589D46708EC99 2024-11-29 Trevor Gamblin <tgamblin(at)baylibre.com>
ametzler@argenau:/tmp/GNUPG2$ /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.5.gpg --list-sigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 | grep B0D589D46708EC99
(Trevor's sig is missing)
ametzler@argenau:/tmp/GNUPG2$ ls -l exported-clean*
-rw-r--r-- 1 ametzler ametzler 14600 23. Mär 11:38 exported-clean-2.5.4.gpg
-rw-rw-r-- 1 ametzler ametzler 14034 23. Mär 12:45 exported-clean-2.5.5.gpg

Details

Version: 2.5.5

Revisions and Commits

rG GnuPG
	rG9b7c067717d8 gpg: Fix another regression due to the T7547 fix.
	rG483f2ba02e70 gpg: Fix another regression due to the T7547 fix.

Related Objects

Mentioned In: T7586: Release GnuPG 2.5.6
Mentioned Here: T7547: signatures from revoked or expired keys show up as missing keys

Event Timeline

ametzler1 renamed this task from 2.5.5 remves sig on clean that 2.5.4 and earlier kept to 2.5.5 removes sig on clean that 2.5.4 and earlier kept.Mar 23 2025, 12:49 PM

ametzler1 created this task.

Taking a bigger sample of keys from the same domain and doing the same testing shows that the signature by B0D589D46708EC99 is removed on all keys.

Similar testing can be done on
pgpkeys/keys/*asc from https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git which shows differences in both directions.

https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2025-March/009968.html

I noticed that the signing key B0D589D46708EC99 is a certify-only key. That signatures made with this key are dropped could be another regression of the fix for dkj's DoS bug.

Yes, this is related to T7547. With my last fix for that I overlooked that we use PUBKEY_USAGE_CERT to internally request the primary key but that one is not set because in general USAGE_SIG means the same (except for some case in PGP7 mode).

• werner added a commit: rG483f2ba02e70: gpg: Fix another regression due to the T7547 fix..Fri, May 2, 12:07 PM

• werner added a commit: rG9b7c067717d8: gpg: Fix another regression due to the T7547 fix..

• werner changed the task status from Open to Testing.Mon, May 5, 9:12 AM

• werner triaged this task as Normal priority.

This affects certification-only primary keys when doing web-of-trust calculations.

Without this fix, the following script shows Bob's calculated user ID validity as unknown. with this fix, it shows as full:

#!/bin/bash

set -e

GPG() {
    local id="$1"
    shift
    gpg --homedir "$(pwd)/$id" --batch --yes --command-fd 0 --pinentry-mode=loopback --passphrase '' "$@"
}

makekey() {
    local name="$1"
    rm -rf "$name"
    mkdir -p -m 0700 "$name"
    GPG "$name" --quick-gen-key "$name" ed25519 cert >/dev/null 2>&1
}

certify() {
    local signer="$1"
    local subject="$2"
    GPG "$subject" --export | GPG "$signer" --import >/dev/null 2>&1
    GPG "$signer" --edit-key "$subject" sign save >/dev/null 2>&1
    printf ": %5s  certifies %5s\n" "$signer" "$subject"
}

makekey Alice
makekey Bob
certify Alice Bob
GPG Alice --check-trustdb 2>/dev/null
GPG Alice --check-sigs Bob

btw, my clue was that in that last --check-sigs, if i used --debug-all i got this:

gpg: DBG: ecc_verify    => Good
gpg: DBG: finish_lookup: checking key 495E6BF7 (one)(req_usage=1,verify)
gpg: DBG: 	exact search requested and found
gpg: DBG: 	primary key usage does not match: want=1 have=4
gpg: DBG: 	no suitable key found -  giving up

• werner closed this task as Resolved.Thu, May 8, 3:29 PM

• werner claimed this task.

• werner mentioned this in T7586: Release GnuPG 2.5.6.