On Fri, 2019-10-25 at 11:21 +0200, Tomas Janousek wrote: > Cool, thanks for reproducing the issue! Just one question: when you say > production key, does that mean a hardware security module like Ben mentioned, > or can you reproduce this with a fully software implementation?
The production key is on a YubiKey, i.e. a hardware security module. Trying with the test key (software) didn't show the problem. > Provided the latter, that means there exists an input to sign-file that > produces an invalid (shorter) signature, and it's likely we can find another > combination of key/module that also fails, and that can be made public (as > opposed to the Debian production key). I don't have the computing resources > for this, but if we're sure the reproducer exists, someone at LKML might. > > Otherwise I'm afraid you might need to dig a bit deeper. :-) Sadly it looks like this requires more digging. I'll try later :/ At least it is an interesting problem. Ansgar