Bad signatures issued on macOS

Jordan Martinez jordan.martinez at arista.com
Mon Feb 23 16:30:59 CET 2026 

Hi all

I've been working with John Soo on this and have been asked to continue
where John left off.

Using 2.5.17, I tried verifying the same signature 100 times via a script
and got a bad signature on each attempt. Here's how I ran such a test. Let
me know whether or not this is a valid test run.

To ease the ability to build 2.5.17 from source, I used Homebrew to get the
dependencies I needed. See `configuration-output.txt` for build-related
output information.

Steps I took to build 2.5.17 and run the test
```
cd gnupg-w32-2.5.17
mkdir build
cd build
../configure --enable-all-tests \

  --with-libgpg-error-prefix=/opt/homebrew/Cellar/libgpg-error/1.58 \
  --with-libgcrypt-prefix=/opt/homebrew/Cellar/libgcrypt/1.12.0 \
  --with-libassuan-prefix=/opt/homebrew/Cellar/libassuan/3.0.2 \
  --with-libksba-prefix=/opt/homebrew/Cellar/libksba/1.6.7 \
  --with-npth-prefix=/opt/homebrew/Cellar/npth/1.8
make
make check
sudo make install

# Verified path's gpg was 2.5.17
gpg --version

# Renamed old `.gnupg` folder to ensure it didn't conflict
# with newer gpg version
cd ~
mv .gnupg .old-gnupg
gpgconf --kill all

# Reimported original key
gpg --import

# Ran the code sign test
cd code-sign-test
./debug.sh

```

configuration-output.txt
```
configure: WARNING:

***
*** The config script "/opt/homebrew/bin/gpgrt-config
--libdir=/opt/homebrew/lib gpg-error" was
*** built for aarch64-apple-darwin25.1.0 and thus may not match the
*** used host aarch64-apple-darwin25.2.0.
*** You may want to use the configure option --with-libgpg-error-prefix
*** to specify a matching config script or use $SYSROOT.
***

configure: WARNING:
***
*** The config script "/opt/homebrew/bin/gpgrt-config
--libdir=/opt/homebrew/lib libassuan" was
*** built for aarch64-apple-darwin25.0.0 and thus may not match the
*** used host aarch64-apple-darwin25.2.0.
*** You may want to use the configure option --with-libassuan-prefix
*** to specify a matching config script.
***

configure: WARNING:
***
*** The config script "/opt/homebrew/bin/gpgrt-config
--libdir=/opt/homebrew/lib ksba" was
*** built for aarch64-apple-darwin25.0.0 and thus may not match the
*** used host aarch64-apple-darwin25.2.0.
*** You may want to use the configure option --with-libksba-prefix
*** to specify a matching config script.
***

configure: WARNING:
***
*** The config script "/opt/homebrew/bin/gpgrt-config
--libdir=/opt/homebrew/lib npth" was
*** built for aarch64-apple-darwin25.0.0 and thus may not match the
*** used host aarch64-apple-darwin25.2.0.
*** You may want to use the configure option --with-npth-prefix
*** to specify a matching config script.
***

GnuPG v2.5.17 has been configured as follows:

Revision:  17b514596  (6069)
Platform:  Darwin (aarch64-apple-darwin25.2.0)

OpenPGP:   yes
S/MIME:    yes
Agent:     yes
Smartcard: yes (without internal CCID driver)
TPM:       no
G13:       no
Dirmngr:   no
Keyboxd:   no
Gpgtar:    yes
WKS tools: yes

Protect tool:       (default)
LDAP wrapper:       (default)
Default agent:      (default)
Default pinentry:   (default)
Default scdaemon:   (default)
Default keyboxd:    (default)
Default tpm2daemon: (default)
Default dirmngr:    (default)

Dirmngr auto start:  yes
Readline support:    no
LDAP support:        n/a
TLS support:         no
TOFU support:        no
Tor support:         only .onion

Warning: Mismatches between the target platform and the
            to be used libraries have been detected for:
            libgpg-error
            Please check above for more warning messages.

```

`debug.sh` script:
```

#!/usr/bin/env bash

echo "" > git-trace.txt

rm data.txt.asc *-dbgmd-00001.sign *-dbgmd-00001.verify *-dbgmd-00002.unknown

echo "GPG version"
gpg --version | sed '8c\
Home: /Users/<user>/.gnupg'
echo ""

for i in {1..100}; do
  echo "loop ${i}"
  rm data.txt.asc
  echo "data was"
  echo "$(cat data.txt)"
  gpg --verbose --debug hashing -bsau 6E628CC4145FD2ED data.txt
  echo ""
  echo "signature was"
  echo "$(cat data.txt.asc)"
  echo ""
  echo "verification was"
  if ! gpg --verify --verbose --debug hashing data.txt.asc data.txt; then
    echo "result: failed"
    echo "gpg verify failed for ${i}"
    mv dbgmd-00001.sign bad-dbgmd-00001.sign
    mv dbgmd-00001.verify bad-dbgmd-00001.verify
    mv dbgmd-00002.unknown bad-dbgmd-00002.unknown
    echo ""
    echo "Starting loop to verify signature multiple times"
    for j in {1..100}; do
      echo "Verify loop ${j}"
      if ! gpg --verify --verbose --debug hashing data.txt.asc data.txt; then
        echo "Verify loop failed for ${j}"
      else
        echo "Verify loop succeeded for ${j}"
        break;
      fi
      echo ""
      echo ""
    done
    break;
  else
    echo "result: succeeded"
    echo "gpg verify passed for ${i}"
    mv dbgmd-00001.sign good-dbgmd-00001.sign
    mv dbgmd-00001.verify good-dbgmd-00001.verify
    mv dbgmd-00002.unknown good-dbgmd-00002.unknown
  fi
  echo ""
  echo ""
done

```

On Mon, Feb 23, 2026 at 9:25 AM John Soo <john.soo+gnupg-users at arista.com>
wrote:

> cc'ing Jordan who is debugging this, too.
>


-- 
Blessings,
Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260223/2a920234/attachment-0001.html>

More information about the Gnupg-users mailing list