Howdy --
When trying to validate a signature produced by the Go standard-library OpenPGP implementation, I get the following:
grub> verify_detached /test /test.sig
error: public key 00000000 not found.
GnuPG verifies this same signature successfully. On investigation, there appear to be two differences, and I haven't yet narrowed down which one is relevant. Comparing the output of pgpdump between a working signature and a broken one:
## This works in GnuPG but not GRUB2's verify
New: Signature Packet(tag 2)(284 bytes)
Ver 4 - new
Sig type - Signature of a binary document(0x00).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Tue Apr 19 20:01:19 CDT 2016
Hashed Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x18C4A5DFD888B456
Hash left 2 bytes - e8 64
RSA m^d mod n(2048 bits) - ...
-> PKCS-1
## This works in both
Old: Signature Packet(tag 2)(284 bytes)
Ver 4 - new
Sig type - Signature of a binary document(0x00).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA1(hash 2)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Tue Apr 19 20:43:04 CDT 2016
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0xD452F94A220096E4
Hash left 2 bytes - 43 69
RSA m^d mod n(2046 bits) - ...
-> PKCS-1
The visible differences here (other than the hash algorithm, for which both are known to be supported) are whether the key id subpacket is hashed, and whether the 0x40 CTB flag is set.
Is there any upstream knowledge here, so I don't go chasing down false paths?