[Bug 2115446] [NEW] gnupg2 fails to identify public key of a signature
Jacob Keller
2115446 at bugs.launchpad.net
Thu Jun 26 19:52:23 UTC 2025
Public bug reported:
I recently migrated my keys to an Ubuntu system, running with
2.4.4-2ubuntu17.2, and discovered that one of the signatures on my key
was not being verified:
$ gpg --check-sigs jacob.keller at gmail.com
pub ed25519 2025-06-25 [SC]
204054A9D73390562AEC431E6A965D3E6F0F28E8
uid [ultimate] Jacob Keller <jacob.keller at gmail.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
uid [ultimate] Jacob Keller <jacob.e.keller at intel.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sub cv25519 2025-06-25 [E]
sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature]
gpg: 3 good signatures
gpg: 2 signatures not checked due to missing keys
The same keys on a different system (Fedora, running with gnugp2 2.4.7),
all 5 signatures verify:
$ gpg --check-sigs jacob.keller at gmail.com
pub ed25519 2025-06-25 [SC]
204054A9D73390562AEC431E6A965D3E6F0F28E8
uid [ unknown] Jacob Keller <jacob.keller at gmail.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <anthony.l.nguyen at intel.com>
uid [ unknown] Jacob Keller <jacob.e.keller at intel.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <anthony.l.nguyen at intel.com>
sub cv25519 2025-06-25 [E]
sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature]
gpg: 5 good signatures
I verified that the signature from Tony exists:
$ gpg --list-keys 237BCB3666CDC698
pub rsa4096 2020-10-01 [C] [expires: 2027-02-10]
B75ECEE0E2943BED6D682232237BCB3666CDC698
uid [ full ] Tony Nguyen <anthony.l.nguyen at intel.com>
sub ed25519 2020-10-01 [S]
sub rsa4096 2020-11-06 [E]
sub rsa2048 2020-11-06 [E]
This was very confusing, and I scratched my head over this for several
hours. Eventually, I tried the stock gnupg2 2.4.4 from source, and it
worked just fine on the exact same key database.
I followed up by checking the gnupg2 source code that comes with the
gnupg2 2.4.4-2ubuntu17.2 package. It has backports for several commits
from the 2.5.x development series.
I imported the quilt patches from the apt source for the package, and
ran a git bisect. This led me to the following backport as the failure:
$ git bisect log
git bisect start
# status: waiting for both good and bad commits
# bad: [a2fcde5b0456b70a1ed2f4157ecec152dd529409] gpg: Fix double free of internal data.
git bisect bad a2fcde5b0456b70a1ed2f4157ecec152dd529409
# status: waiting for good commit(s), bad commit known
# good: [a43271cc08e2068acc75a1742f90740afe0479e0] Release 2.4.4
git bisect good a43271cc08e2068acc75a1742f90740afe0479e0
# good: [bbb659d34de9c4d96908d76bdddfaec34143e115] agent: Fix timer list management.
git bisect good bbb659d34de9c4d96908d76bdddfaec34143e115
# good: [6387456592cbd6241a735b91b51a570f2d564c23] Use hkps://keys.openpgp.org as the default keyserver
git bisect good 6387456592cbd6241a735b91b51a570f2d564c23
# good: [b3f6128a287423c270be9f476b9597417b4f08d9] no-keyboxd
git bisect good b3f6128a287423c270be9f476b9597417b4f08d9
# good: [f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd] gpg: Remove a signature check function wrapper.
git bisect good f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd
# bad: [7254a9ba766cc25337e50199d5ce57aaffa6a103] CVE-2025-30258-4
git bisect bad 7254a9ba766cc25337e50199d5ce57aaffa6a103
# bad: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3
git bisect bad a7293b88e55e6c4a1e365578b7584527596a9219
# first bad commit: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3
$ git show a7293b88e55e6c4a1e365578b7584527596a9219
commit a7293b88e55e6c4a1e365578b7584527596a9219
Author: Jacob Keller <jacob.e.keller at intel.com>
Date: Thu Jun 26 11:59:07 2025 -0700
CVE-2025-30258-3
Backport of:
From da0164efc7f32013bc24d97b9afa9f8d67c318bb Mon Sep 17 00:00:00 2001
From: Werner Koch <wk at gnupg.org>
Date: Fri, 21 Feb 2025 12:16:17 +0100
Subject: [PATCH] gpg: Fix a verification DoS due to a malicious subkey in the
keyring.
* g10/getkey.c (get_pubkey): Factor code out to ...
(get_pubkey_bykid): new. Add feature to return the keyblock.
(get_pubkey_for_sig): Add arg r_keyblock to return the used keyblock.
Request a signing usage.
(get_pubkeyblock_for_sig): Remove.
(finish_lookup): Improve debug output.
* g10/sig-check.c (check_signature): Add arg r_keyblock and pass it
down.
* g10/mainproc.c (do_check_sig): Ditto.
(check_sig_and_print): Use the keyblock returned by do_check_sig to
show further information instead of looking it up again with
get_pubkeyblock_for_sig. Also re-check the signature after the import
of an included keyblock.
--
The problem here is that it is possible to import a key from someone
who added a signature subkey from another public key and thus inhibits
that a good signature good be verified.
Such a malicious key signature subkey must have been created w/o the
mandatory backsig which bind a signature subkey to its primary key.
For encryption subkeys this is not an issue because the existence of a
decryption private key is all you need to decrypt something and then
it does not matter if the public subkey or its binding signature has
been put below another primary key; in fact we do the latter for
ADSKs.
GnuPG-bug-id: 7527
Backported-from-master: 48978ccb4e20866472ef18436a32744350a65158
I looked through the main development branch of the gnupg2 code and discovered that this CVE fix has multiple regression fixes. Most of them were already included in the Ubuntu package, except the following:
$ git show 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
commit 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
Author: Werner Koch <wk at gnupg.org>
Date: Fri May 2 11:11:05 2025 +0200
gpg: Fix another regression due to the T7547 fix.
* g10/getkey.c (get_pubkey_for_sig): Keep a requested
PUBKEY_USAGE_CERT.
(finish_lookup): For correctness in future use cases allow
PUBKEY_USAGE_CERT to also trigger verify mode.
--
The case here was that a cert-only primary key was removed with
export-clean.
GnuPG-bug-id: 7583
I applied this to my test build and everything now works. I believe the
Ubuntu package needs to backport this fix.
Other information:
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.2 LTS
Release: 24.04
$ apt-cache policy gnupg2
gnupg2:
Installed: (none)
Candidate: 2.4.4-2ubuntu17.2
Version table:
2.4.4-2ubuntu17.2 500
500 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages
2.4.4-2ubuntu17 500
500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages
** Affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/2115446
Title:
gnupg2 fails to identify public key of a signature
Status in gnupg2 package in Ubuntu:
New
Bug description:
I recently migrated my keys to an Ubuntu system, running with
2.4.4-2ubuntu17.2, and discovered that one of the signatures on my key
was not being verified:
$ gpg --check-sigs jacob.keller at gmail.com
pub ed25519 2025-06-25 [SC]
204054A9D73390562AEC431E6A965D3E6F0F28E8
uid [ultimate] Jacob Keller <jacob.keller at gmail.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
uid [ultimate] Jacob Keller <jacob.e.keller at intel.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sub cv25519 2025-06-25 [E]
sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature]
gpg: 3 good signatures
gpg: 2 signatures not checked due to missing keys
The same keys on a different system (Fedora, running with gnugp2
2.4.7), all 5 signatures verify:
$ gpg --check-sigs jacob.keller at gmail.com
pub ed25519 2025-06-25 [SC]
204054A9D73390562AEC431E6A965D3E6F0F28E8
uid [ unknown] Jacob Keller <jacob.keller at gmail.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <anthony.l.nguyen at intel.com>
uid [ unknown] Jacob Keller <jacob.e.keller at intel.com>
sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature]
sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <anthony.l.nguyen at intel.com>
sub cv25519 2025-06-25 [E]
sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature]
gpg: 5 good signatures
I verified that the signature from Tony exists:
$ gpg --list-keys 237BCB3666CDC698
pub rsa4096 2020-10-01 [C] [expires: 2027-02-10]
B75ECEE0E2943BED6D682232237BCB3666CDC698
uid [ full ] Tony Nguyen <anthony.l.nguyen at intel.com>
sub ed25519 2020-10-01 [S]
sub rsa4096 2020-11-06 [E]
sub rsa2048 2020-11-06 [E]
This was very confusing, and I scratched my head over this for several
hours. Eventually, I tried the stock gnupg2 2.4.4 from source, and it
worked just fine on the exact same key database.
I followed up by checking the gnupg2 source code that comes with the
gnupg2 2.4.4-2ubuntu17.2 package. It has backports for several commits
from the 2.5.x development series.
I imported the quilt patches from the apt source for the package, and
ran a git bisect. This led me to the following backport as the
failure:
$ git bisect log
git bisect start
# status: waiting for both good and bad commits
# bad: [a2fcde5b0456b70a1ed2f4157ecec152dd529409] gpg: Fix double free of internal data.
git bisect bad a2fcde5b0456b70a1ed2f4157ecec152dd529409
# status: waiting for good commit(s), bad commit known
# good: [a43271cc08e2068acc75a1742f90740afe0479e0] Release 2.4.4
git bisect good a43271cc08e2068acc75a1742f90740afe0479e0
# good: [bbb659d34de9c4d96908d76bdddfaec34143e115] agent: Fix timer list management.
git bisect good bbb659d34de9c4d96908d76bdddfaec34143e115
# good: [6387456592cbd6241a735b91b51a570f2d564c23] Use hkps://keys.openpgp.org as the default keyserver
git bisect good 6387456592cbd6241a735b91b51a570f2d564c23
# good: [b3f6128a287423c270be9f476b9597417b4f08d9] no-keyboxd
git bisect good b3f6128a287423c270be9f476b9597417b4f08d9
# good: [f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd] gpg: Remove a signature check function wrapper.
git bisect good f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd
# bad: [7254a9ba766cc25337e50199d5ce57aaffa6a103] CVE-2025-30258-4
git bisect bad 7254a9ba766cc25337e50199d5ce57aaffa6a103
# bad: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3
git bisect bad a7293b88e55e6c4a1e365578b7584527596a9219
# first bad commit: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3
$ git show a7293b88e55e6c4a1e365578b7584527596a9219
commit a7293b88e55e6c4a1e365578b7584527596a9219
Author: Jacob Keller <jacob.e.keller at intel.com>
Date: Thu Jun 26 11:59:07 2025 -0700
CVE-2025-30258-3
Backport of:
From da0164efc7f32013bc24d97b9afa9f8d67c318bb Mon Sep 17 00:00:00 2001
From: Werner Koch <wk at gnupg.org>
Date: Fri, 21 Feb 2025 12:16:17 +0100
Subject: [PATCH] gpg: Fix a verification DoS due to a malicious subkey in the
keyring.
* g10/getkey.c (get_pubkey): Factor code out to ...
(get_pubkey_bykid): new. Add feature to return the keyblock.
(get_pubkey_for_sig): Add arg r_keyblock to return the used keyblock.
Request a signing usage.
(get_pubkeyblock_for_sig): Remove.
(finish_lookup): Improve debug output.
* g10/sig-check.c (check_signature): Add arg r_keyblock and pass it
down.
* g10/mainproc.c (do_check_sig): Ditto.
(check_sig_and_print): Use the keyblock returned by do_check_sig to
show further information instead of looking it up again with
get_pubkeyblock_for_sig. Also re-check the signature after the import
of an included keyblock.
--
The problem here is that it is possible to import a key from someone
who added a signature subkey from another public key and thus inhibits
that a good signature good be verified.
Such a malicious key signature subkey must have been created w/o the
mandatory backsig which bind a signature subkey to its primary key.
For encryption subkeys this is not an issue because the existence of a
decryption private key is all you need to decrypt something and then
it does not matter if the public subkey or its binding signature has
been put below another primary key; in fact we do the latter for
ADSKs.
GnuPG-bug-id: 7527
Backported-from-master: 48978ccb4e20866472ef18436a32744350a65158
I looked through the main development branch of the gnupg2 code and discovered that this CVE fix has multiple regression fixes. Most of them were already included in the Ubuntu package, except the following:
$ git show 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
commit 483f2ba02e70968e6c9f57afa0fc88f7566a76c4
Author: Werner Koch <wk at gnupg.org>
Date: Fri May 2 11:11:05 2025 +0200
gpg: Fix another regression due to the T7547 fix.
* g10/getkey.c (get_pubkey_for_sig): Keep a requested
PUBKEY_USAGE_CERT.
(finish_lookup): For correctness in future use cases allow
PUBKEY_USAGE_CERT to also trigger verify mode.
--
The case here was that a cert-only primary key was removed with
export-clean.
GnuPG-bug-id: 7583
I applied this to my test build and everything now works. I believe
the Ubuntu package needs to backport this fix.
Other information:
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.2 LTS
Release: 24.04
$ apt-cache policy gnupg2
gnupg2:
Installed: (none)
Candidate: 2.4.4-2ubuntu17.2
Version table:
2.4.4-2ubuntu17.2 500
500 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages
2.4.4-2ubuntu17 500
500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2115446/+subscriptions
More information about the foundations-bugs
mailing list