Re: verify not supporting all OpenPGP signature packets?

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: verify not supporting all OpenPGP signature packets?

From:	Ignat Korchagin
Subject:	Re: verify not supporting all OpenPGP signature packets?
Date:	Wed, 20 Apr 2016 12:30:50 +0100

And http://lists.gnu.org/archive/html/grub-devel/2016-04/msg00040.html


On Wed, Apr 20, 2016 at 11:11 AM, Andrei Borzenkov <address@hidden> wrote:
> http://lists.gnu.org/archive/html/grub-devel/2016-03/msg00294.html
>
> On Wed, Apr 20, 2016 at 4:59 AM, Charles Duffy <address@hidden> wrote:
>> Howdy --
>>
>> When trying to validate a signature produced by the Go standard-library
>> OpenPGP implementation, I get the following:
>>
>> grub> verify_detached /test /test.sig
>> error: public key 00000000 not found.
>>
>> GnuPG verifies this same signature successfully. On investigation, there
>> appear to be two differences, and I haven't yet narrowed down which one is
>> relevant. Comparing the output of pgpdump between a working signature and a
>> broken one:
>>
>> ## This works in GnuPG but not GRUB2's verify
>> New: Signature Packet(tag 2)(284 bytes)
>>         Ver 4 - new
>>         Sig type - Signature of a binary document(0x00).
>>         Pub alg - RSA Encrypt or Sign(pub 1)
>>         Hash alg - SHA256(hash 8)
>>         Hashed Sub: signature creation time(sub 2)(4 bytes)
>>                 Time - Tue Apr 19 20:01:19 CDT 2016
>>         Hashed Sub: issuer key ID(sub 16)(8 bytes)
>>                 Key ID - 0x18C4A5DFD888B456
>>         Hash left 2 bytes - e8 64
>>         RSA m^d mod n(2048 bits) - ...
>>                 -> PKCS-1
>>
>> ## This works in both
>> Old: Signature Packet(tag 2)(284 bytes)
>>         Ver 4 - new
>>         Sig type - Signature of a binary document(0x00).
>>         Pub alg - RSA Encrypt or Sign(pub 1)
>>         Hash alg - SHA1(hash 2)
>>         Hashed Sub: signature creation time(sub 2)(4 bytes)
>>                 Time - Tue Apr 19 20:43:04 CDT 2016
>>         Sub: issuer key ID(sub 16)(8 bytes)
>>                 Key ID - 0xD452F94A220096E4
>>         Hash left 2 bytes - 43 69
>>         RSA m^d mod n(2046 bits) - ...
>>                 -> PKCS-1
>>
>> The visible differences here (other than the hash algorithm, for which both
>> are known to be supported) are whether the key id subpacket is hashed, and
>> whether the 0x40 CTB flag is set.
>>
>> Is there any upstream knowledge here, so I don't go chasing down false
>> paths?
>>
>> _______________________________________________
>> Grub-devel mailing list
>> address@hidden
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel

[Prev in Thread]

Current Thread

[Next in Thread]

verify not supporting all OpenPGP signature packets?, Charles Duffy, 2016/04/20
- Re: verify not supporting all OpenPGP signature packets?, Andrei Borzenkov, 2016/04/20
  - Re: verify not supporting all OpenPGP signature packets?, Ignat Korchagin <=

Prev by Date: Re: verify not supporting all OpenPGP signature packets?
Next by Date: Re: error: relocation 0x2 is not module-local on OS X 10.7 using native compiler
Previous by thread: Re: verify not supporting all OpenPGP signature packets?
Next by thread: How to increase block size in grub/tftp?
Index(es):
- Date
- Thread