Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GopenPGP successfully verifies signatures using SHA-1 #101

Open
teythoon opened this issue Nov 17, 2020 · 1 comment
Open

GopenPGP successfully verifies signatures using SHA-1 #101

teythoon opened this issue Nov 17, 2020 · 1 comment
Labels
v2 Targeting GopenPGP v2

Comments

@teythoon
Copy link

SHA-1 is unsuitable for signatures over data. The first
collision was published in 2017, and attacks have advanced since
to the point that chosen-prefix attacks are feasible now.

Signatures using SHA-1 in signed messages and detached signatures
must be rejected.

Relevant test: https://tests.sequoia-pgp.org/#Signature_over_the_shattered_collision

The case is less clear for self-signatures in OpenPGP
certificates, because we discovered that use in certificates is
still wide-spread. Please follow the discussion on openpgp@:

https://mailarchive.ietf.org/arch/msg/openpgp/Rp-inhYKT8A9H5E34iLTrc9I0gc/

Reproducer

Use this certificate:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Bob's OpenPGP certificate

mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv
/seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz
/56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/
5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3
X5KMN5kp2zraLv9dlBBpWW43XktjcCZgMy20SouraVma8Je/ECwUWYUiAZxLIlMv
9CurEOtxUw6N3RdOtLmYZS9uEnn5y1UkF88o8Nku890uk6BrewFzJyLAx5wRZ4F0
qV/yq36UWQ0JB/AUGhHVPdFf6pl6eaxBwT5GXvbBUibtf8YI2og5RsgTWtXfU7eb
SGXrl5ZMpbA6mbfhd0R8aPxWfmDWiIOhBufhMCvUHh1sApMKVZnvIff9/0Dca3wb
vLIwa3T4CyshfT0AEQEAAbQhQm9iIEJhYmJhZ2UgPGJvYkBvcGVucGdwLmV4YW1w
bGU+iQHOBBMBCgA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE0aZuGiOx
gsmYD3iM+/zIKgFeczAFAl2lnvoACgkQ+/zIKgFeczBvbAv/VNk90a6hG8Od9xTz
XxH5YRFUSGfIA1yjPIVOnKqhMwps2U+sWE3urL+MvjyQRlyRV8oY9IOhQ5Esm6DO
ZYrTnE7qVETm1ajIAP2OFChEc55uH88x/anpPOXOJY7S8jbn3naC9qad75BrZ+3g
9EBUWiy5p8TykP05WSnSxNRt7vFKLfEB4nGkehpwHXOVF0CRNwYle42bg8lpmdXF
DcCZCi+qEbafmTQzkAqyzS3nCh3IAqq6Y0kBuaKLm2tSNUOlZbD+OHYQNZ5Jix7c
ZUzs6Xh4+I55NRWl5smrLq66yOQoFPy9jot/Qxikx/wP3MsAzeGaZSEPc0fHp5G1
6rlGbxQ3vl8/usUV7W+TMEMljgwd5x8POR6HC8EaCDfVnUBCPi/Gv+egLjsIbPJZ
ZEroiE40e6/UoCiQtlpQB5exPJYSd1Q1txCwueih99PHepsDhmUQKiACszNU+RRo
zAYau2VdHqnRJ7QYdxHDiH49jPK4NTMyb/tJh2TiIwcmsIpGuQGNBF2lnPIBDADW
ML9cbGMrp12CtF9b2P6z9TTT74S8iyBOzaSvdGDQY/sUtZXRg21HWamXnn9sSXvI
DEINOQ6A9QxdxoqWdCHrOuW3ofneYXoG+zeKc4dC86wa1TR2q9vW+RMXSO4uImA+
Uzula/6k1DogDf28qhCxMwG/i/m9g1c/0aApuDyKdQ1PXsHHNlgd/Dn6rrd5y2AO
baifV7wIhEJnvqgFXDN2RXGjLeCOHV4Q2WTYPg/S4k1nMXVDwZXrvIsA0YwIMgIT
86Rafp1qKlgPNbiIlC1g9RY/iFaGN2b4Ir6GDohBQSfZW2+LXoPZuVE/wGlQ01rh
827KVZW4lXvqsge+wtnWlszcselGATyzqOK9LdHPdZGzROZYI2e8c+paLNDdVPL6
vdRBUnkCaEkOtl1mr2JpQi5nTU+gTX4IeInC7E+1a9UDF/Y85ybUz8XV8rUnR76U
qVC7KidNepdHbZjjXCt8/Zo+Tec9JNbYNQB/e9ExmDntmlHEsSEQzFwzj8sxH48A
EQEAAYkBtgQYAQoAIBYhBNGmbhojsYLJmA94jPv8yCoBXnMwBQJdpZzyAhsMAAoJ
EPv8yCoBXnMw6f8L/26C34dkjBffTzMj5Bdzm8MtF67OYneJ4TQMw7+41IL4rVcS
KhIhk/3Ud5knaRtP2ef1+5F66h9/RPQOJ5+tvBwhBAcUWSupKnUrdVaZQanYmtSx
cVV2PL9+QEiNN3tzluhaWO//rACxJ+K/ZXQlIzwQVTpNhfGzAaMVV9zpf3u0k14i
tcv6alKY8+rLZvO1wIIeRZLmU0tZDD5HtWDvUV7rIFI1WuoLb+KZgbYn3OWjCPHV
dTrdZ2CqnZbG3SXw6awH9bzRLV9EXkbhIMez0deCVdeo+wFFklh8/5VK2b0vk/+w
qMJxfpa1lHvJLobzOP9fvrswsr92MA2+k901WeISR7qEzcI0Fdg8AyFAExaEK6Vy
jP7SXGLwvfisw34OxuZr3qmx1Sufu4toH3XrB7QJN8XyqqbsGxUCBqWif9RSK4xj
zRTe56iPeiSJJOIciMP9i2ldI+KgLycyeDvGoBj0HCLO3gVaBe4ubVrj5KjhX2PV
NEJd3XZRzaXZE2aAMQ==
=NXei
-----END PGP PUBLIC KEY BLOCK-----

To verify this signature:

-----BEGIN PGP SIGNATURE-----

wsDzBAABAgAdFiEE0aZuGiOxgsmYD3iM+/zIKgFeczAFAl+uh1wACgkQ+/zIKgFe
czBqzAv9G9v98so++R88YSVMTGbfzq4fSh4C/DkfZCT9+j6H1IpYfjfouFQNtTE7
0ACiusd0cTxBdRKOqsbh9EW3yfv77+8XU+sNY0QZ2UgfbEW1USAP4BgACMkpSu5X
mlcE65jw7bhfdnnNsypOKORpH/uyLSMTAvBj3rrzFyikDjJwmSyLdJocjCawkr0U
aOQfDZfJVXhRCj9oXrRW2LBdB7HsLqwFvt/EIct8FYnTxriV8+xuVaihCbX357uE
NXqbT8x07xMAUws/iwrHptmPZP6sz4+bdekMXAMncY4hBR8J0NDh6vpq8yYRylpa
ebJ8mLGhujJPIcU12VOMimGE7+zpAwmlJgPQqdZsjS1ZuvQ/BS37hRIvdUTZljff
EXqqJq3SwZOvdvyRzTk3vciZhEzJ2aLSj0A4PY/k/6fZEdY3ZHRKdWP3btOU6GNF
b+BXPE/eNerLy0Y5BgMOKfsOaqPGz4bDJTNv83gsbYPyFXvhb0hTESRgyNeGC+rC
WOUcC767
=Ox9v
-----END PGP SIGNATURE-----

Over these two files:

The signature authenticates both files even though they are
different.
@wussler
Copy link
Collaborator

wussler commented Nov 26, 2020

Hi @teythoon, since June 25th 2020 (commit 608beda) we started returning errors for sha1 signatures, specifically we allow only:

var allowedHashes = []crypto.Hash{
	crypto.SHA224,
	crypto.SHA256,
	crypto.SHA384,
	crypto.SHA512,
}

We're working on upgrading the gosop implementation to 2.1.1.

Cheers,
Aron

@lubux lubux added the v2 Targeting GopenPGP v2 label Jun 21, 2024
@s-l-teichmann s-l-teichmann mentioned this issue Dec 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v2 Targeting GopenPGP v2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@teythoon @wussler @lubux