@dkg explains why v3 signatures are problematic [in this
issue](https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c24):
> The upcoming cryptographic refresh of the OpenPGP standard explicitly says
> that clients MUST NOT generate v3 signatures but MAY verify them. However,
> v3 signatures contain significantly less context than v4 signatures. For
> example, the data signed by a v3 signature does not include the version
> number, the choices of hash and asymmetric algorithm involved, or any
> additional metadata that it is possible to embed in a v4 signature. The only
> two pieces of metadata actually covered by a v3 signature are the sigtype
> (one octet) and a four-byte timestamp (unsigned seconds since the unix epoch).
>
> If we've learned anything from cryptographic signing protocols over the last
> several decades, it's that one of the risks of signatures is that they can be
> interpreted out of context. the simple and obvious fix for this is to ensure
> that the relevant pieces of context are included in the signed data in an
> unambiguous way. v3 signatures cannot do that.
>
> I strongly recommend rpm producing a warning when it encounters a v3
> signature, so that we can flush out any remaining legacy signers.
AIUI, he's not saying that v3 signatures are known to be broken, but that there
are better alternatives that are less risky. Moreover, the 2007 standard
advised implementations to stop generating them.
The only software that I'm aware of that still generates them is obs-sign.
And, I only learned about that 9 days ago. Sequoia didn't verify them, and
this is the first report that we got that this is an issue. OpenPGP.js and
gopenpgp ["haven't supported it for quite a
while"](https://mailarchive.ietf.org/arch/msg/openpgp/iy0E0EhZ3Lt6gcJpgN6Z7xxMiio/),
and apparently they have't gotten any complaints either. `gpg` still
verifies them, but at least as of 2.2.27, it silently ignores the
`--force-v3-sigs` option:
```
$ echo | gpg -s --force-v3-sigs | sq packet dump
...
└── Signature Packet, old CTB, 307 bytes
Version: 4
...
```
Having Sequoia reject v3 signatures by default will hopefully help root out any
software that still generates v3 signatures. And if software still needs to
process v3 signatures using Sequoia, it's quite easy to opt in, as Fedora will
do.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1320901343
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
