Flaw with GPG Signature Verification

Published: 2006-03-10
Last Updated: 2006-03-10 18:01:47 UTC
by David Goldsmith (Version: 1)
0 comment(s)
There is a flaw with how GPG does verification of signatures that are attached to the signed data.

From the posting to the gnupg-announce mailing list:

"Signature verification of non-detached signature may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature.  Thus it is possible for an attacker to take any signed message and inject extra arbitrary data."

OpenPGP messages (this can be a file or an email message) can contain multiple data segments each with their corresponding signature segment.  If all of the data segments are untampered, then all of the corresponding signatures check out and the message as a whole is considered to have a valid signature.  If any of the data segments have been tampered, then that specific signature segment fails and the entire message is considered to have an invalid signature.

The flaw comes in to play when someone inserts unsigned data into the OpenPGP message either before the data segment or after the signature segment.  As long as all of the signed message segments check out as ok, the entire message is still considered to be validly signed even if extraneous data is included.

For folks who download software or other files from FTP/HTTP servers where a GPG/PGP signature of the download file is provided as a seperate file, the signature verification can still be trusted.

The recommendation for this flaw is to upgrade to the latest version of GnuPG (version  All prior versions are affected.

You can see the entire gnupg-announce post here.

0 comment(s)


Diary Archives