[Gnuk-users] Gnuk creating invalid signatures
Jonathan Schleifer
js-gnuk-users at webkeks.org
Sat Oct 8 16:56:50 UTC 2016
Hi!
I had Gnuk generate 2 invalid signatures today, and then noticed that it had done the same a month ago when signing a Git commit:
https://github.com/Midar/objfw/commit/86552b7bb2ec9624ccd1fbef161fb989694b1cc0
The signature looks like this:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iGsEABYKABQFAlfV970NHGpzQGhlYXAuem9uZQAKCRAzjDVB21Thab4sAQDTPz3p
+Jp+J2hOD+NQiwiEkbEoqFOeZnryPr3twrSFBwD4goU8HdiHhCSaudCBwIE6Bnyu
ob5bOoyzzP5FQRXaDg==
=uVkg
-----END PGP SIGNATURE-----
The pubkey for this: https://heap.zone/pubkey.asc
I wonder how I could debug this? This sounds bad, especially as PGP did not catch this when signing, but only when verifying it later on.
Also, considering this is Ed25519, can my private key be in danger if an invalid signature has been created? I suppose if it e.g. failed to hash the message to use that as a nonce and thus reused a nonce (e.g. it used 0 since something failed, and then I had two invalid signatures pushed), then my private key is now leaked, right? How would I verify what exactly went wrong so that I know if I need to rotate keys?
Thanks,
Jonathan
More information about the gnuk-users
mailing list