Public bug reported: I recently migrated my keys to an Ubuntu system, running with 2.4.4-2ubuntu17.2, and discovered that one of the signatures on my key was not being verified:
$ gpg --check-sigs [email protected] pub ed25519 2025-06-25 [SC] 204054A9D73390562AEC431E6A965D3E6F0F28E8 uid [ultimate] Jacob Keller <[email protected]> sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature] uid [ultimate] Jacob Keller <[email protected]> sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature] sub cv25519 2025-06-25 [E] sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature] gpg: 3 good signatures gpg: 2 signatures not checked due to missing keys The same keys on a different system (Fedora, running with gnugp2 2.4.7), all 5 signatures verify: $ gpg --check-sigs [email protected] pub ed25519 2025-06-25 [SC] 204054A9D73390562AEC431E6A965D3E6F0F28E8 uid [ unknown] Jacob Keller <[email protected]> sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature] sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <[email protected]> uid [ unknown] Jacob Keller <[email protected]> sig!3 6A965D3E6F0F28E8 2025-06-25 [self-signature] sig! 237BCB3666CDC698 2025-06-25 Tony Nguyen <[email protected]> sub cv25519 2025-06-25 [E] sig! 6A965D3E6F0F28E8 2025-06-25 [self-signature] gpg: 5 good signatures I verified that the signature from Tony exists: $ gpg --list-keys 237BCB3666CDC698 pub rsa4096 2020-10-01 [C] [expires: 2027-02-10] B75ECEE0E2943BED6D682232237BCB3666CDC698 uid [ full ] Tony Nguyen <[email protected]> sub ed25519 2020-10-01 [S] sub rsa4096 2020-11-06 [E] sub rsa2048 2020-11-06 [E] This was very confusing, and I scratched my head over this for several hours. Eventually, I tried the stock gnupg2 2.4.4 from source, and it worked just fine on the exact same key database. I followed up by checking the gnupg2 source code that comes with the gnupg2 2.4.4-2ubuntu17.2 package. It has backports for several commits from the 2.5.x development series. I imported the quilt patches from the apt source for the package, and ran a git bisect. This led me to the following backport as the failure: $ git bisect log git bisect start # status: waiting for both good and bad commits # bad: [a2fcde5b0456b70a1ed2f4157ecec152dd529409] gpg: Fix double free of internal data. git bisect bad a2fcde5b0456b70a1ed2f4157ecec152dd529409 # status: waiting for good commit(s), bad commit known # good: [a43271cc08e2068acc75a1742f90740afe0479e0] Release 2.4.4 git bisect good a43271cc08e2068acc75a1742f90740afe0479e0 # good: [bbb659d34de9c4d96908d76bdddfaec34143e115] agent: Fix timer list management. git bisect good bbb659d34de9c4d96908d76bdddfaec34143e115 # good: [6387456592cbd6241a735b91b51a570f2d564c23] Use hkps://keys.openpgp.org as the default keyserver git bisect good 6387456592cbd6241a735b91b51a570f2d564c23 # good: [b3f6128a287423c270be9f476b9597417b4f08d9] no-keyboxd git bisect good b3f6128a287423c270be9f476b9597417b4f08d9 # good: [f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd] gpg: Remove a signature check function wrapper. git bisect good f5af4f9467c49db3e944f9f33cf4b6b11e3cd0bd # bad: [7254a9ba766cc25337e50199d5ce57aaffa6a103] CVE-2025-30258-4 git bisect bad 7254a9ba766cc25337e50199d5ce57aaffa6a103 # bad: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3 git bisect bad a7293b88e55e6c4a1e365578b7584527596a9219 # first bad commit: [a7293b88e55e6c4a1e365578b7584527596a9219] CVE-2025-30258-3 $ git show a7293b88e55e6c4a1e365578b7584527596a9219 commit a7293b88e55e6c4a1e365578b7584527596a9219 Author: Jacob Keller <[email protected]> Date: Thu Jun 26 11:59:07 2025 -0700 CVE-2025-30258-3 Backport of: From da0164efc7f32013bc24d97b9afa9f8d67c318bb Mon Sep 17 00:00:00 2001 From: Werner Koch <[email protected]> Date: Fri, 21 Feb 2025 12:16:17 +0100 Subject: [PATCH] gpg: Fix a verification DoS due to a malicious subkey in the keyring. * g10/getkey.c (get_pubkey): Factor code out to ... (get_pubkey_bykid): new. Add feature to return the keyblock. (get_pubkey_for_sig): Add arg r_keyblock to return the used keyblock. Request a signing usage. (get_pubkeyblock_for_sig): Remove. (finish_lookup): Improve debug output. * g10/sig-check.c (check_signature): Add arg r_keyblock and pass it down. * g10/mainproc.c (do_check_sig): Ditto. (check_sig_and_print): Use the keyblock returned by do_check_sig to show further information instead of looking it up again with get_pubkeyblock_for_sig. Also re-check the signature after the import of an included keyblock. -- The problem here is that it is possible to import a key from someone who added a signature subkey from another public key and thus inhibits that a good signature good be verified. Such a malicious key signature subkey must have been created w/o the mandatory backsig which bind a signature subkey to its primary key. For encryption subkeys this is not an issue because the existence of a decryption private key is all you need to decrypt something and then it does not matter if the public subkey or its binding signature has been put below another primary key; in fact we do the latter for ADSKs. GnuPG-bug-id: 7527 Backported-from-master: 48978ccb4e20866472ef18436a32744350a65158 I looked through the main development branch of the gnupg2 code and discovered that this CVE fix has multiple regression fixes. Most of them were already included in the Ubuntu package, except the following: $ git show 483f2ba02e70968e6c9f57afa0fc88f7566a76c4 commit 483f2ba02e70968e6c9f57afa0fc88f7566a76c4 Author: Werner Koch <[email protected]> Date: Fri May 2 11:11:05 2025 +0200 gpg: Fix another regression due to the T7547 fix. * g10/getkey.c (get_pubkey_for_sig): Keep a requested PUBKEY_USAGE_CERT. (finish_lookup): For correctness in future use cases allow PUBKEY_USAGE_CERT to also trigger verify mode. -- The case here was that a cert-only primary key was removed with export-clean. GnuPG-bug-id: 7583 I applied this to my test build and everything now works. I believe the Ubuntu package needs to backport this fix. Other information: $ lsb_release -rd No LSB modules are available. Description: Ubuntu 24.04.2 LTS Release: 24.04 $ apt-cache policy gnupg2 gnupg2: Installed: (none) Candidate: 2.4.4-2ubuntu17.2 Version table: 2.4.4-2ubuntu17.2 500 500 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages 500 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages 2.4.4-2ubuntu17 500 500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages ** Affects: gnupg2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115446 Title: gnupg2 fails to identify public key of a signature To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2115446/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
