[Rpm-maint] [rpm-software-management/rpm] Return better error codes from the crypto backends (Issue #2127)

Sat Nov 19 14:51:43 UTC 2022

@dkg explains why v3 signatures are problematic [in this issue](https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c24):

> The upcoming cryptographic refresh of the OpenPGP standard explicitly says that clients MUST NOT generate v3 signatures but MAY verify them.  However, v3 signatures contain significantly less context than v4 signatures.  For example, the data signed by a v3 signature does not include the version number, the choices of hash and asymmetric algorithm involved, or any additional metadata that it is possible to embed in a v4 signature.  The only two pieces of metadata actually covered by a v3 signature are the sigtype (one octet) and a four-byte timestamp (unsigned seconds since the unix epoch).
>
> If we've learned anything from cryptographic signing protocols over the last several decades, it's that one of the risks of signatures is that they can be interpreted out of context.  the simple and obvious fix for this is to ensure that the relevant pieces of context are included in the signed data in an unambiguous way.  v3 signatures cannot do that.
>
> I strongly recommend rpm producing a warning when it encounters a v3 signature, so that we can flush out any remaining legacy signers.

AIUI, he's not saying that v3 signatures are known to be broken, but that there are better alternatives that are less risky.  Moreover, the 2007 standard advised implementations to stop generating them.

The only software that I'm aware of that still generates them is obs-sign.  And, I only learned about that 9 days ago.  Sequoia didn't verify them, and this is the first report that we got that this is an issue.  OpenPGP.js and gopenpgp ["haven't supported it for quite a while"](https://mailarchive.ietf.org/arch/msg/openpgp/iy0E0EhZ3Lt6gcJpgN6Z7xxMiio/), and apparently they have't gotten any complaints either.   `gpg` still verifies them, but at least as of 2.2.27, it silently ignores the `--force-v3-sigs` option:

```
$ echo | gpg -s --force-v3-sigs | sq packet dump
...
└── Signature Packet, old CTB, 307 bytes
        Version: 4
...
```

Having Sequoia reject v3 signatures by default will hopefully help root out any software that still generates v3 signatures.  And if software still needs to process v3 signatures using Sequoia, it's quite easy to opt in, as Fedora will do.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1320901343
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2127/1320901343 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20221119/52a41833/attachment-0001.html>