New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GopenPGP fails to verify detached signatures with unknown packet versions #70

Open

teythoon opened this issue Aug 12, 2020 · 0 comments

Labels

v2

teythoon commented Aug 12, 2020

Unknown versions of Signature packets should be ignored to allow
for a smooth evolution of the OpenPGP message format.

https://tests.sequoia-pgp.org/#Detached_signatures_with_unknown_packets

Reproducer:

This is a fictitious v23 signature followed by a v4 signature:

-----BEGIN PGP SIGNATURE-----

wsDzFwABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM+/zIKgFe
czBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOsr35i2I0d
Ujba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgxgdHSM4X5
Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBixAnX8/BpR
pjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve1hcf8j6d
1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc+/QT2ul9
pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+buxjSMuXG
23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazKRymuJci6
/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWqZLl3RKU4
+fzYyy1VwsDzBAABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM
+/zIKgFeczBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOs
r35i2I0dUjba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgx
gdHSM4X5Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBix
AnX8/BpRpjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve
1hcf8j6d1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc
+/QT2ul9pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+b
uxjSMuXG23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazK
RymuJci6/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWq
ZLl3RKU4+fzYyy1V
=pV3Y
-----END PGP SIGNATURE-----

This is the certificate to verify the v4 signature:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Bob's OpenPGP certificate

mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv
/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz
/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/
5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3
X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv
9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0
qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb
SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb
vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w
bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx
gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz
XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO
ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g
9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF
DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c
ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1
6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ
ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo
zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW
ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI
DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+
Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO
baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT
86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh
827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6
vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U
qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A
EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ
EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS
KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx
cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i
tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV
dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w
qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy
jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj
zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV
NEJd3XZRzaXZE2aAMQ==
=NXei
-----END PGP PUBLIC KEY BLOCK-----

Interestingly, the verification succeeds if the v4 signature
comes first, so it might just be a problem with detecting the
kind of data:

-----BEGIN PGP SIGNATURE-----

wsDzBAABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM+/zIKgFe
czBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOsr35i2I0d
Ujba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgxgdHSM4X5
Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBixAnX8/BpR
pjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve1hcf8j6d
1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc+/QT2ul9
pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+buxjSMuXG
23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazKRymuJci6
/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWqZLl3RKU4
+fzYyy1VwsDzFwABCgAGBYJfM9pFACEJEPv8yCoBXnMwFiEE0aZuGiOxgsmYD3iM
+/zIKgFeczBW7gwAjobe0/8MVxpRNBQc9/OFcpWacD6F8y4f+R9hBZ7aGxZduBOs
r35i2I0dUjba+EyWKjtnACT5AgDI1iG0n4qMMXKT5s8SIQsJk9u9JZ0A2mdDBQgx
gdHSM4X5Yh42APTj+fHDyWzh5VKWVCMRIvdc+xW5E1nuBA9Oa9pgJSF/+W8DzBix
AnX8/BpRpjHUkoyZDr5BakiWPAWHGM9MAWL/pP7GgiUnWAsWoREWFHzk/q8oxyve
1hcf8j6d1ux7764ynaxLrMXgVHebAYKVBCirnG6BO2FvCTZXy42omokHz/UEXroc
+/QT2ul9pZuYJt+/X9oOAkK55kQ0jh+aa2F9wLHEQ+Gq11pqjfhQidR4iGxB8D+b
uxjSMuXG23T2DkQlVZXu4XIZIFEn0MH+2pF8bMhfMyM/gKtnUpgfRI6uyx+1aazK
RymuJci6/QxL4l57Ih/DR4LnA9B0iNr7I3ces0kYbL9ZcPxgv2b3SwwJDTxcrUWq
ZLl3RKU4+fzYyy1V
=6vh8
-----END PGP SIGNATURE-----

The text was updated successfully, but these errors were encountered:

lubux added the v2 label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment