Invalid cross certification?

David Shaw dshaw at jabberwocky.com
Tue Apr 8 19:22:12 CEST 2008


On Tue, Apr 08, 2008 at 10:35:31AM -0500, Robert J. Hansen wrote:
> I'm beginning to do my own testing of GnuPG 2.0.9, and I'm seeing
> something a bit odd.  I have a message encrypted and signed to myself
> which GnuPG 1.4.9 decrypts and verifies correctly.  GnuPG 2.0.9 gives a
> warning about there being an invalid cross-certification.
> 
> Googling was not especially helpful.  Checking the source code,
> sig-check.c turned out to have the most useful bit of information:
> 
> /* Check the backsig.  This is a 0x19 signature from the
> ~   subkey on the primary key.  The idea here is that it should
> ~   not be possible for someone to "steal" subkeys and claim
> ~   them as their own.  The attacker couldn't actually use the
> ~   subkey, but they could try and claim ownership of any
> ~   signaures issued by it. */
> 
> So the obvious questions:
> 
> 1.  If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is
> there this difference in functionality?

This should work.  I believe the code is identical around backsigs.

> 2.  How is it possible to put an 0x19 signature on the primary key from
> the subkey, in order to get rid of this error message?

It seems that there is a valid 0x19 signature already, as 1.4.9 does
not give you a warning.  Still, if you do --edit-key and then
"cross-certify", you can add a backsig to any key you like.

Looking at your signing subkey 8D02BBB3, I do see a valid backsig on
it.

Ah, I suspect this is the reason:

        subpkt 32 len 86 (signature: v4, class 0x19, algo 17, digest
	algo 11)

Digest algo 11 is SHA-224, which is fairly recent.  I believe it was
added to libgcrypt somewhere in the 1.3.x development.  Does your
libgcrypt have it?

David



More information about the Gnupg-users mailing list