[Bug 2115446] Re: gnupg2 fails to identify public key of a signature

Jacob Keller 2115446 at bugs.launchpad.net
Thu Jul 10 16:12:00 UTC 2025 

*** This bug is a duplicate of bug 2114775 ***
    https://bugs.launchpad.net/bugs/2114775

Reasonably sure this is a duplicate of
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2114775

** This bug has been marked a duplicate of bug 2114775
   Key validity not computed when key is certified by a trusted "certify-only" key (regression due to patch for CVE-2025-30258)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/2115446

Title:
  gnupg2 fails to identify public key of a signature

Status in gnupg2 package in Ubuntu:
  New

Bug description:
  I recently migrated my keys to an Ubuntu system, running with
  2.4.4-2ubuntu17.2, and discovered that one of the signatures on my key
  was not being verified:

  $ gpg --check-sigs jacob.keller at gmail.com
  pub   ed25519 2025-06-25 [SC]
        204054A9D73390562AEC431E6A965D3E6F0F28E8
  uid           [ultimate] Jacob Keller <jacob.keller at gmail.com>
  sig!3        6A965D3E6F0F28E8 2025-06-25  [self-signature]
  uid           [ultimate] Jacob Keller <jacob.e.keller at intel.com>
  sig!3        6A965D3E6F0F28E8 2025-06-25  [self-signature]
  sub   cv25519 2025-06-25 [E]
  sig!         6A965D3E6F0F28E8 2025-06-25  [self-signature]

  gpg: 3 good signatures
  gpg: 2 signatures not checked due to missing keys

  The same keys on a different system (Fedora, running with gnugp2
  2.4.7), all 5 signatures verify:

  $ gpg --check-sigs jacob.keller at gmail.com
  pub   ed25519 2025-06-25 [SC]
        204054A9D73390562AEC431E6A965D3E6F0F28E8
  uid           [ unknown] Jacob Keller <jacob.keller at gmail.com>
  sig!3        6A965D3E6F0F28E8 2025-06-25  [self-signature]
  sig!         237BCB3666CDC698 2025-06-25  Tony Nguyen <anthony.l.nguyen at intel.com>
  uid           [ unknown] Jacob Keller <jacob.e.keller at intel.com>
  sig!3        6A965D3E6F0F28E8 2025-06-25  [self-signature]
  sig!         237BCB3666CDC698 2025-06-25  Tony Nguyen <anthony.l.nguyen at intel.com>
  sub   cv25519 2025-06-25 [E]
  sig!         6A965D3E6F0F28E8 2025-06-25  [self-signature]

  gpg: 5 good signatures

  I verified that the signature from Tony exists:

  $ gpg --list-keys 237BCB3666CDC698
  pub   rsa4096 2020-10-01 [C] [expires: 2027-02-10]
        B75ECEE0E2943BED6D682232237BCB3666CDC698
  uid           [  full  ] Tony Nguyen <anthony.l.nguyen at intel.com>
  sub   ed25519 2020-10-01 [S]
  sub   rsa4096 2020-11-06 [E]
  sub   rsa2048 2020-11-06 [E]

  This was very confusing, and I scratched my head over this for several
  hours. Eventually, I tried the stock gnupg2 2.4.4 from source, and it
  worked just fine on the exact same key database.

  I followed up by checking the gnupg2 source code that comes with the
  gnupg2 2.4.4-2ubuntu17.2 package. It has backports for several commits
  from the 2.5.x development series.

  I imported the quilt patches from the apt source for the package, and
  ran a git bisect. This led me to the following backport as the
  failure:

  $ git bisect log
  git bisect start
  # status: waiting for both good and bad commits
  # bad: [a2fcde5b0456b70a1ed2f4157ecec152dd529409] gpg: Fix double free of internal data.
  git bisect bad a2fcde5b0456b70a1ed2f4157ecec152dd529409
  # status: waiting for good commit(s), bad commit known
  # good: [a43271cc08e2068acc75a1742f90740afe0479e0] Release 2.4.4
  git bisect good a43271cc08e2068acc75a1742f90740afe0479e0
  # good: [bbb659d34de9c4d96908d76bdddfaec34143e115] agent: Fix timer list management.
  git bisect good bbb659d34de9c4d96908d76bdddfaec34143e115
  # good: [6387456592cbd6241a735b91b51a570f2d564c23] Use hkps://keys.openpgp.org as the default keyserver
  git bisect good 6387456592cbd6241a735b91b51a570f2d564c23
  # good: [b3f6128a287423c270be9f476b9597417b4f08d9] no-keyboxd
  git bisect good b3f6128a287423c270be9f476b9597417b4f08d9
  # good: [f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd] gpg: Remove a signature check function wrapper.
  git bisect good f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd
  # bad: [7254a9ba766cc25337e50199d5ce57aaffa6a103] CVE-2025-30258-4
  git bisect bad 7254a9ba766cc25337e50199d5ce57aaffa6a103
  # bad: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3
  git bisect bad a7293b88e55e6c4a1e365578b7584527596a9219
  # first bad commit: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3 

  $ git show a7293b88e55e6c4a1e365578b7584527596a9219
  commit a7293b88e55e6c4a1e365578b7584527596a9219
  Author: Jacob Keller <jacob.e.keller at intel.com>
  Date:   Thu Jun 26 11:59:07 2025 -0700

      CVE-2025-30258-3

      Backport of:

      From da0164efc7f32013bc24d97b9afa9f8d67c318bb Mon Sep 17 00:00:00 2001
      From: Werner Koch <wk at gnupg.org>
      Date: Fri, 21 Feb 2025 12:16:17 +0100
      Subject: [PATCH] gpg: Fix a verification DoS due to a malicious subkey in the
       keyring.

      * g10/getkey.c (get_pubkey): Factor code out to ...
      (get_pubkey_bykid): new.  Add feature to return the keyblock.
      (get_pubkey_for_sig): Add arg r_keyblock to return the used keyblock.
      Request a signing usage.
      (get_pubkeyblock_for_sig): Remove.
      (finish_lookup): Improve debug output.
      * g10/sig-check.c (check_signature): Add arg r_keyblock and pass it
      down.
      * g10/mainproc.c (do_check_sig): Ditto.
      (check_sig_and_print): Use the keyblock returned by do_check_sig to
      show further information instead of looking it up again with
      get_pubkeyblock_for_sig.  Also re-check the signature after the import
      of an included keyblock.
      --

      The problem here is that it is possible to import a key from someone
      who added a signature subkey from another public key and thus inhibits
      that a good signature good be verified.

      Such a malicious key signature subkey must have been created w/o the
      mandatory backsig which bind a signature subkey to its primary key.
      For encryption subkeys this is not an issue because the existence of a
      decryption private key is all you need to decrypt something and then
      it does not matter if the public subkey or its binding signature has
      been put below another primary key; in fact we do the latter for
      ADSKs.

      GnuPG-bug-id: 7527
      Backported-from-master: 48978ccb4e20866472ef18436a32744350a65158

  
  I looked through the main development branch of the gnupg2 code and discovered that this CVE fix has multiple regression fixes. Most of them were already included in the Ubuntu package, except the following:

  $ git show 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
  commit 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
  Author: Werner Koch <wk at gnupg.org>
  Date:   Fri May 2 11:11:05 2025 +0200

      gpg: Fix another regression due to the T7547 fix.

      * g10/getkey.c (get_pubkey_for_sig): Keep a requested
      PUBKEY_USAGE_CERT.
      (finish_lookup): For correctness in future use cases allow
      PUBKEY_USAGE_CERT to also trigger verify mode.
      --

      The case here was that a cert-only primary key was removed with
      export-clean.

      GnuPG-bug-id: 7583

  I applied this to my test build and everything now works. I believe
  the Ubuntu package needs to backport this fix.

  Other information:
  $ lsb_release -rd
  No LSB modules are available.
  Description:    Ubuntu 24.04.2 LTS
  Release:        24.04

  $ apt-cache policy gnupg2
  gnupg2:
    Installed: (none)
    Candidate: 2.4.4-2ubuntu17.2
    Version table:
       2.4.4-2ubuntu17.2 500
          500 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages
          500 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages
       2.4.4-2ubuntu17 500
          500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2115446/+subscriptions

More information about the foundations-bugs mailing list