Page MenuHome GnuPG
Create Task
Maniphest T7583

2.5.5 removes sig on clean that 2.5.4 and earlier kept
Open, Needs TriagePublic
Actions

Description

Hello,
this was reported by Uwe Kleine-König as https://bugs.debian.org/1101007 against a version of gnpg with backported patches. I have checked whether it also applies to 2.5.5.

Given the attached keyring which was generated by running
install -d -m0700 /tmp/GNUPG2/gpghome
/tmp/GNUPG2/2.5.4/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --locate-external-keys u.kleine-koenig(at)baylibre.com tgamblin(at)baylibre.com
/tmp/GNUPG2/2.5.4/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --export --export-options export-clean > exported-clean-2.5.4.gpg

exported-clean-2.5.4.gpg14 KBDownload

gpg 2.5.5 will drop the signature by B0D589D46708EC99 on 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 when run with --export --export-options export-clean:

ametzler@argenau:/tmp/GNUPG2$ rm -rf /tmp/GNUPG2/gpghome ; install -d -m0700 /tmp/GNUPG2/gpghome ; /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.4.gpg --export --export-options export-clean > exported-clean-2.5.5.gpg
gpg: keybox '/tmp/GNUPG2/gpghome/pubring.kbx' created
ametzler@argenau:/tmp/GNUPG2$ /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.4.gpg --list-sigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 | grep B0D589D46708EC99
gpg: /tmp/GNUPG2/gpghome/trustdb.gpg: trustdb created
sig B0D589D46708EC99 2024-11-29 Trevor Gamblin <tgamblin(at)baylibre.com>
ametzler@argenau:/tmp/GNUPG2$ /tmp/GNUPG2/2.5.5/usr/bin/gpg --homedir /tmp/GNUPG2/gpghome --keyring /tmp/GNUPG2/exported-clean-2.5.5.gpg --list-sigs 0D2511F322BFAB1C1580266BE2DCDD9132669BD6 | grep B0D589D46708EC99
(Trevor's sig is missing)
ametzler@argenau:/tmp/GNUPG2$ ls -l exported-clean*
-rw-r--r-- 1 ametzler ametzler 14600 23. Mär 11:38 exported-clean-2.5.4.gpg
-rw-rw-r-- 1 ametzler ametzler 14034 23. Mär 12:45 exported-clean-2.5.5.gpg

Details

Version
2.5.5

Event Timeline

ametzler1 renamed this task from 2.5.5 remves sig on clean that 2.5.4 and earlier kept to 2.5.5 removes sig on clean that 2.5.4 and earlier kept.Sun, Mar 23, 12:49 PM
ametzler1 created this task.
ametzler1 added a comment.Mon, Mar 24, 6:32 PM

Taking a bigger sample of keys from the same domain and doing the same testing shows that the signature by B0D589D46708EC99 is removed on all keys.

Similar testing can be done on
pgpkeys/keys/*asc from https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git which shows differences in both directions.

https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2025-March/009968.html

ikloecker added a subscriber: ikloecker.Mon, Mar 24, 10:50 PM

I noticed that the signing key B0D589D46708EC99 is a certify-only key. That signatures made with this key are dropped could be another regression of the fix for dkj's DoS bug.