think I discovered a libgcrypt EdDSA Verification Bug -- Ed25519 skips verification + can't verify
NIIBE Yutaka
gniibe at fsij.org
Wed Oct 22 08:52:01 CEST 2025
Hello,
Sorry for my late response.
Zachary Fogg wrote:
> Anyway, I discovered gpg and libsodium are incompatible in my code.
[...]
> I hope this is enough information and an actual bug lol. If it's not a bug
> please let me know how to get libsodium and gpg working together properly.
Yes, your information is enough. Thanks for your report.
It's a corner case in libgcrypt. I think that we need better
documentation for Ed25519.
Historically, Ed25519 was introduced to libgcrypt as a curve, and then
EdDSA was supported.
To work with Ed25519 in libgcrypt, the flag "eddsa" is need in a key.
It's like:
--- your-example-ed25519.c 2025-10-22 15:42:38.838917643 +0900
+++ your-example-ed25519-fixed.c 2025-10-22 15:41:31.103582651 +0900
@@ -12,7 +12,7 @@
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
// Generate Ed25519 keypair
- err = gcry_sexp_build(&keypair, NULL, "(genkey (ecc (curve Ed25519)))");
+ err = gcry_sexp_build(&keypair, NULL, "(genkey (ecc (flags eddsa) (curve Ed25519)))");
gcry_pk_genkey(&keypair, keypair);
privkey = gcry_sexp_find_token(keypair, "private-key", 0);
pubkey = gcry_sexp_find_token(keypair, "public-key", 0);
=================================
I agree that: since Ed25519 only matters EdDSA, this flag could be
assumed and it's helpful if it is not needed.
--
More information about the Gcrypt-devel
mailing list