Page MenuHome GnuPG
Create Task
Maniphest T7902

OpenPGP Cleartext Signature Framework
Testing, NormalPublic
Actions

Description

Armored data handling in GnuPG is lax (and/or OpenPGP format syntax for that is ambiguous).

An attacker can craft a One-Pass Signed Message (data + signature) which is looks like signature by BEGIN PGP SIGNATURE and END PGP SIGNATURE, and prepend fake information with malformed BEGIN PGP SIGNED MESSAGE (say, with an additional hyphen before the new line control character). Users misinterpret as if it's a correct signed message with valid head, and could be deceived.

Related Objects
Search...

StatusAssignedTask
Restricted Maniphest Task
 TestingNoneT7902 OpenPGP Cleartext Signature Framework

Event Timeline

gniibe created this task.Nov 4 2025, 6:25 AM
gniibe created this object in space Restricted Space.
gniibe created this object with visibility "g10code (Project)".
gniibe created this object with edit policy "g10code (Project)".
gniibe added a comment.Nov 4 2025, 6:27 AM

Mitigation would be: adding context validation in add_onepass_sig function, which checks WHAT of armored input.

gniibe added a comment.Nov 5 2025, 6:26 AM

Here is a patch (revised since the email of mine):

armor-validation-one-pass-sig-2025-11-05.patch2 KBDownload

Validation is added at parse_onepass_sig function. (Before the revise, I did at add_onepass_sig, but to minimize the change, this is better.)

gniibe mentioned this in Unknown Object (Maniphest Task).Nov 10 2025, 2:51 AM
gniibe added a comment.Nov 11 2025, 6:37 AM

Here is a revised patch (hopefully the last one):

0001-gpg-Reject-wrongly-armored-packets-with-one-pass-sig.patch3 KBDownload

Error in parsing is not good, I realized. Instead, armor context is recorded in mainproc context, and it is validated when it's a one-pass signature.

werner triaged this task as Normal priority.Nov 11 2025, 10:02 AM
werner added a subscriber: werner.

There are a lot of other ways to confuse the user. We can't fix them all because the whole purpose of a cleartext signature is to make it easy to use in legacy environments like an BBS. Modern systems use MIME to handle this in a more stringent specified way. For any use it is stongly suggested to check the actual signed data which is avaialable with the --output options. At least a sanitizing viewer should be used which filters out all escape characters (something like cat -v |less).

werner shifted this object from the Restricted Space space to the S1 Public space.Fri, Dec 26, 2:55 PM
werner changed the visibility from "g10code (Project)" to "Public (No Login Required)".
thesamesam added a subscriber: thesamesam.Fri, Dec 26, 8:41 PM
werner edited projects, added FAQ, OpenPGP, Not A Bug; removed g10code, Bug Report.Mon, Dec 29, 3:37 PM

https://gnupg.org/blog/20251226-cleartext-signatures.html explains why we have cleartext signatures and how you properly use them. The suggestion of the reporters to remove them entirely is a no-go because there are too many systems (open source or in-house) which rely on that format. If properly used (i.e. using --output to get the signed text) there is no problem. Anyway the suggestion has always been to use detached signatures using two files or PGP/MIME).

thesamesam mentioned this in T7993: Documentation: make clear that detached signatures are preferred.Mon, Dec 29, 5:34 PM
werner changed the task status from Open to Testing.Fri, Jan 2, 4:35 PM