Title PGP-2 Keys are handled as if their Fingerprint is always zero
Priority urgent Status resolved
Category gnupg Due Date
Version 2.0.28 ExtLink  (go)
Superseder Nosy List aheinecke, bernhard, werner
Assigned To werner Topics  (help)

Created on 2015-06-05.17:14:07 by aheinecke, last changed 2015-09-09.14:15:45 by werner.

File name Uploaded Type Edit Remove
wrong_valid_sig.png aheinecke, 2015-06-05.17:14:07 image/png
msg6974 (view) Author: werner Date: 2015-09-09.14:15:44
Fix released with 2.0.29.
msg6510 (view) Author: werner Date: 2015-06-17.06:43:47
Fixed with commit be34857.

PGP-2 fingerprints are enabled again but a warning is printed.  There is no need
to reject the signature because the key itself maybe valid if it uses non-MD5
self-signatures.  GUIs however should detect a 16 byte fingerprint and also
print an appropriate warning.
msg6446 (view) Author: bernhard Date: 2015-06-08.12:42:41
On Monday 08 June 2015 at 12:50:23, Werner Koch via BTS wrote:
> Workaround: --allow-weak-digest-algos

Does not work as I expected it.
msg6445 (view) Author: werner Date: 2015-06-08.10:50:23
Workaround: --allow-weak-digest-algos

But I agree that this is not a good option.  We better reject the signature.
msg6434 (view) Author: aheinecke Date: 2015-06-05.17:14:07
We've noticed the following problem with Debian Jessie (2.0.26-6) and I've also
checked that this happens with 2.0.28:

- User has a mail signed by a PGP-2 key. (e.g. 0xBF85AB31) 

- Verifiying this with gpgparsemail gives you:

gpg: Signature made Mon 27 May 2013 01:04:45 PM CEST using RSA key ID BF85AB31
gpg: Note: signatures using the MD5 algorithm are rejected
c [GNUPG:] SIG_ID i99YU0xsFZXBhWvkV4R/fNpcgUs 2013-05-27 1369652685
c [GNUPG:] GOODSIG 9BA06915BF85AB31 [uncertain] Matthias Kalle Dalheimer
(Company address) <>
gpg: Good signature from "Matthias Kalle Dalheimer (Company address)
<>" [uncertain]
c [GNUPG:] VALIDSIG 00000000000000000000000000000000 2013-05-27 1369652685 0 3 0
1 2 00 00000000000000000000000000000000

- Kleopatra takes that fingerprint (00000000000000000000000000000000) and uses
it to look up more information about that key.

- If you have another PGP-2 key (e.g. 0x23F5ADDB) in your pubring this can
return the wrong key. 

If you do:
gpg --list-key 00000000000000000000000000000000

It shows you all the PGP-2 keys in your keyring. 

- Kleo (or gpgme, have to check) just takes the first key where the fingerprint
matches and shows the validity information based on this key.

- The validity of the signature is checked against key 1 and the validity of the
key is checked against key 2.

This leads to the scenario where I can spoof KMail into showing valid signatures
coming from the last PGP-2 key in your public keyring by using another PGP-2 key
even if you never trusted that other key.

I'll fix in kleopatra that zero fingerprints are rejected.

But GnuPG should either reject working with such keys (like gpg 2.1 does) or
properly handle them.

If needed I can send you the test data privately. I don't have a PGP-2 testkey
at hand to generate an anonymized test case.
Date User Action Args
2015-09-09 14:51:07aheineckelinkissue1960 superseder
2015-09-09 14:15:45wernersetstatus: testing -> resolved
messages: + msg6974
2015-06-17 06:43:47wernersetstatus: chatting -> testing
messages: + msg6510
2015-06-08 12:42:41bernhardsetmessages: + msg6446
2015-06-08 10:50:23wernersetstatus: unread -> chatting
messages: + msg6445
2015-06-05 17:14:07aheineckecreate