grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: verify not supporting all OpenPGP signature packets?

From: Andrei Borzenkov
Subject: Re: verify not supporting all OpenPGP signature packets?
Date: Wed, 20 Apr 2016 13:11:33 +0300 
http://lists.gnu.org/archive/html/grub-devel/2016-03/msg00294.html

On Wed, Apr 20, 2016 at 4:59 AM, Charles Duffy <address@hidden> wrote:
> Howdy --
>
> When trying to validate a signature produced by the Go standard-library
> OpenPGP implementation, I get the following:
>
> grub> verify_detached /test /test.sig
> error: public key 00000000 not found.
>
> GnuPG verifies this same signature successfully. On investigation, there
> appear to be two differences, and I haven't yet narrowed down which one is
> relevant. Comparing the output of pgpdump between a working signature and a
> broken one:
>
> ## This works in GnuPG but not GRUB2's verify
> New: Signature Packet(tag 2)(284 bytes)
>         Ver 4 - new
>         Sig type - Signature of a binary document(0x00).
>         Pub alg - RSA Encrypt or Sign(pub 1)
>         Hash alg - SHA256(hash 8)
>         Hashed Sub: signature creation time(sub 2)(4 bytes)
>                 Time - Tue Apr 19 20:01:19 CDT 2016
>         Hashed Sub: issuer key ID(sub 16)(8 bytes)
>                 Key ID - 0x18C4A5DFD888B456
>         Hash left 2 bytes - e8 64
>         RSA m^d mod n(2048 bits) - ...
>                 -> PKCS-1
>
> ## This works in both
> Old: Signature Packet(tag 2)(284 bytes)
>         Ver 4 - new
>         Sig type - Signature of a binary document(0x00).
>         Pub alg - RSA Encrypt or Sign(pub 1)
>         Hash alg - SHA1(hash 2)
>         Hashed Sub: signature creation time(sub 2)(4 bytes)
>                 Time - Tue Apr 19 20:43:04 CDT 2016
>         Sub: issuer key ID(sub 16)(8 bytes)
>                 Key ID - 0xD452F94A220096E4
>         Hash left 2 bytes - 43 69
>         RSA m^d mod n(2046 bits) - ...
>                 -> PKCS-1
>
> The visible differences here (other than the hash algorithm, for which both
> are known to be supported) are whether the key id subpacket is hashed, and
> whether the 0x40 CTB flag is set.
>
> Is there any upstream knowledge here, so I don't go chasing down false
> paths?
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]