[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] verify: search keyid in hashed signature subpackets (repost)
|
From: |
Ignat Korchagin |
|
Subject: |
Re: [PATCH] verify: search keyid in hashed signature subpackets (repost) |
|
Date: |
Mon, 21 Nov 2016 23:31:26 +0100 |
On Mon, Nov 21, 2016 at 6:56 PM, Jon McCune <address@hidden> wrote:
> On Mon, Nov 21, 2016 at 6:45 AM, Daniel Kiper <address@hidden> wrote:
>>
>> On Fri, Nov 18, 2016 at 12:00:08PM +0000, Ignat Korchagin wrote:
>> > Reposting this, as requested by Daniel and rebasing on current tree.
>> >
>> > Currently GRUB2 verify logic searches PGP keyid only in unhashed
>> > subpackets of PGP signature packet. As a result, signatures generated with
>> > GoLang openpgp package (https://godoc.org/golang.org/x/crypto/openpgp)
>> > could
>> > not be verified, because this package puts keyid in hashed subpackets and
>> > GRUB code never initializes the keyid variable, therefore is not able to
>> > find "verification key" with id 0x0.
>
>
> I think it would be wise to include a brief argument citing the OpenPGP RFC
> that this change is compliant. Compatibility with an existing implementation
> is valuable, but let's make sure the appropriate code is being changed. (I
> haven't looked carefully myself.)
>
> Thanks,
> -Jon
>
>
This change is compliant with RFC 4880. According to p 5.2.3 only
"Signature Creation Time" subpacket "MUST be present in the hashed
area". All other subpacket types may be present either in hashed or
unhashed areas. Currently, GRUB assumes, that the "Issuer" subpacket
is in unhashed area (by default put there by gpg tool), but other PGP
implementations like (https://godoc.org/golang.org/x/crypto/openpgp)
may put it in the hashed area.