[Gnuk-users] Gnuk creating invalid signatures

NIIBE Yutaka gniibe at fsij.org
Tue Oct 11 01:05:17 UTC 2016 

Hello,

On 10/09/2016 01:56 AM, Jonathan Schleifer wrote:
> I had Gnuk generate 2 invalid signatures today, and then noticed that it had done the same a month ago when signing a Git commit:
> 
> https://github.com/Midar/objfw/commit/86552b7bb2ec9624ccd1fbef161fb989694b1cc0
> 

How can I check this commit?  I'd like to check the signature by
myself.  I cloned the repository, but I can't find this commit in the
cloned working directory.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iGsEABYKABQFAlfV970NHGpzQGhlYXAuem9uZQAKCRAzjDVB21Thab4sAQDTPz3p
> +Jp+J2hOD+NQiwiEkbEoqFOeZnryPr3twrSFBwD4goU8HdiHhCSaudCBwIE6Bnyu
> ob5bOoyzzP5FQRXaDg==
> =uVkg
> -----END PGP SIGNATURE-----

gpg --verbose --list-packet says:

=====================================
# off=0 ctb=88 tag=2 hlen=2 plen=107
:signature packet: algo 22, keyid 338C3541DB54E169
	version 4, created 1473640381, md5len 0, sigclass 0x00
	digest algo 10, begin of digest be 2c
	hashed subpkt 2 len 4 (sig created 2016-09-12)
	hashed subpkt 28 len 12 (signer's user ID)
	subpkt 16 len 8 (issuer key ID 338C3541DB54E169)
	data: D33F3DE9F89A7E27684E0FE3508B088491B128A8539E667AF23EBDEDC2B48507
	data: 82853C1DD88784249AB9D081C0813A067CAEA1BE5B3A8CB3CCFE454115DA0E
=====================================

"data" is the signature struct (r,s).

It seems that the cause of trouble is: the the length of "s" is 248-bit.

> I wonder how I could debug this? This sounds bad, especially as PGP
> did not catch this when signing, but only when verifying it later
> on.

As I did, --list-packet with --verbose helps me.

> Also, considering this is Ed25519, can my private key be in danger
> if an invalid signature has been created? I suppose if it
> e.g. failed to hash the message to use that as a nonce and thus
> reused a nonce (e.g. it used 0 since something failed, and then I
> had two invalid signatures pushed), then my private key is now
> leaked, right? How would I verify what exactly went wrong so that I
> know if I need to rotate keys?

If I guess correctly, it may be a bug of scdaemon/gpg-agent/gnupg when
it formats the signature into OpenPGP format.

If it is right, don't worry.  No information of your private key is
leaked.

Let me investigate the scenario of shorter bytes in the signature
structure of (r,s).
--

More information about the gnuk-users mailing list