diff options
| author | Werner Koch <[email protected]> | 2025-10-22 10:39:15 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-10-22 10:39:15 +0000 |
| commit | 8abc320f2a75d6c7339323a3cff8a8489199f49f (patch) | |
| tree | 93193907856c4696901ff1471a881b78609c926f | |
| parent | gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures. (diff) | |
| download | gnupg-8abc320f2a75d6c7339323a3cff8a8489199f49f.tar.gz gnupg-8abc320f2a75d6c7339323a3cff8a8489199f49f.zip | |
gpg: Error out on unverified output for non-detached signatures.
* g10/mainproc.c (do_proc_packets): Never reset the any.data flag.
--
Fixes-commit: 3b1b6f9d98b38480ba2074158fa640b881cdb97e
Updates-commit: 69384568f66a48eff3968bb1714aa13925580e9f
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
When using
gpg --verify -o - msg.sig msg
even with the --batch option the outout written to stdout or the file
five to -o may not be what has been verified. For example given a
file "msg" with this content:
--8<---------------cut here---------------start------------->8---
It is a wise father that knows his own child.
-- William Shakespeare, "The Merchant of Venice"
--8<---------------cut here---------------end--------------->8---
and a manipulated "msg.sig" (named "msg-mod.sig") the output could be
$ gpg --verify -o - --batch msg-mod.sig msg
The last thing one knows in constructing a work is what to put first.
-- Blaise Pascal
gpg: Signature made Wed 22 Oct 2025 11:51:52 AM CEST
gpg: using EDDSA key A7F91C6EB9395B25B4A9BAD25B9[...]
gpg: Good signature from "[email protected]" [ultimate]
The plaintext shown is ot what has been verified (i.e. the first
quote) and may lead the user top wrong conclusions.
But note: Using the output of the verify command for detached
signatures is useless because with a non-manipulated signature nothing
would haven been written.
How to replicate the whole thing:
1. Import this public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaPio6RYJKwYBBAHaRw8BAQdAt0yaE+e5CG9iLdEJnZqTv3QUj2/eoMuQR55/
y4tbGr20EWFsaWNlQGV4YW1wbGUub3JniLUEExYKAF0WIQSn+RxuuTlbJbSputJb
mJ0rJeN/3AUCaPio6RsUgAAAAAAEAA5tYW51MiwyLjUrMS4xMSwyLDICGwMFCQWj
moAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQW5idKyXjf9x2WwD7BQrA
0p7XnalGu83R+Kx7UvMvPnwwBb/P2CMlHlU5+TMBAICnsrHa/pFClAE3pA2io0rF
+9M55DF3gkYTkpIWf1YBuDgEaPio6RIKKwYBBAGXVQEFAQEHQHEcigLeQJiXMMui
LDCFO9EVFQqt5wDu5fhyt8haLpVbAwEIB4iUBBgWCgA8FiEEp/kcbrk5WyW0qbrS
W5idKyXjf9wFAmj4qOkbFIAAAAAABAAObWFudTIsMi41KzEuMTEsMiwyAhsMAAoJ
EFuYnSsl43/czvIBANaamGqOQgF02ykNkP62wj/1iYuXn5bXHXRtmV7htjQiAQCO
HZYHTrVSBoyYfT40zVFSFtydnlLAlFisZNuydwPPDw==
=GjvX
-----END PGP PUBLIC KEY BLOCK-----
2. Unpack the first quote below and put it into the file "msg"
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking
SXQgaXMgYSB3aXNlIGZhdGhlciB0aGF0IGtub3dzIGhpcyBvd24gY2hpbGQuCgkJ
LS0gV2lsbGlhbSBTaGFrZXNwZWFyZSwgIlRoZSBNZXJjaGFudCBvZiBWZW5pY2Ui
Cg==
=0fUy
-----END PGP ARMORED FILE-----
3. Unpack the original signature into the file "msg.sig"
-----BEGIN PGP ARMORED FILE-----
iJEEABYKADkWIQSn+RxuuTlbJbSputJbmJ0rJeN/3AUCaPipOBsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMSwyLDIACgkQW5idKyXjf9w6UwD/fS6X9bs36WXVN5BSANIA
bhtHb8X4jZu4NFKk/ZSwUtIBANMdYO6F1kUMyFNZVZa4Yk12UmcClF9mXLBVlfeH
RFkL
=wCLE
-----END PGP ARMORED FILE-----
4. Unpack the modified signature into the file "msg-mod.sig"
-----BEGIN PGP ARMORED FILE-----
kA0DAAoWW5idKyXjf9wBy19iAGj4qrhUaGUgbGFzdCB0aGluZyBvbmUga25vd3Mg
aW4gY29uc3RydWN0aW5nIGEgd29yayBpcyB3aGF0IHRvIHB1dCBmaXJzdC4KCQkt
LSBCbGFpc2UgUGFzY2FsCoiRBAAWCgA5FiEEp/kcbrk5WyW0qbrSW5idKyXjf9wF
Amj4qTgbFIAAAAAABAAObWFudTIsMi41KzEuMTEsMiwyAAoJEFuYnSsl43/cOlMA
/30ul/W7N+ll1TeQUgDSAG4bR2/F+I2buDRSpP2UsFLSAQDTHWDuhdZFDMhTWVWW
uGJNdlJnApRfZlywVZX3h0RZC8r/AAAAA1BHUA==
=DafU
-----END PGP ARMORED FILE-----
Now run
gpg --verify -o - msg.sig msg
gpg --verify -o - msg-mod.sig msg
after this pacth is applied the second command will output an error
message "gpg: not a detached signature"
The modification was to prepend a one-pass signature packet for alices
signature and a a literal data packet with the second quote to the
original signature and also append a marker packet or something other.
gpgsplit is the tool of choice here. Thus the packet composition of
msg-mod.sig is:
:onepass_sig packet: keyid 5B989D2B25E37FDC
version 3, sigclass 0x00, digest 10, pubkey 22, last=1
:literal data packet:
mode b (62), created 1761127096, name="",
raw data: 89 bytes
:signature packet: algo 22, keyid 5B989D2B25E37FDC
version 4, created 1761126712, md5len 0, sigclass 0x00
[...]
:marker packet: PGP
Kudos to the reporter for the detailed report.
| -rw-r--r-- | g10/mainproc.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/g10/mainproc.c b/g10/mainproc.c index e2703516c..8108a07b7 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1838,10 +1838,14 @@ do_proc_packets (CTX c, iobuf_t a, int keep_dek_and_list) * packet and not to reuse the current one ... It works right * when there is a compression packet between which adds just * an extra layer. + * + * Note that we should not reset the any.data due to another + * packets. Just set it once on seeing a plaintext. + * * Hmmm: Rewrite this whole module here?? */ if (pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC) - c->any.data = (pkt->pkttype == PKT_PLAINTEXT); + c->any.data |= (pkt->pkttype == PKT_PLAINTEXT); if (newpkt == -1) ; |