Hi!
On Mon, 22 Apr 2019 08:55, HeikoStamer(_at_)gmx(_dot_)net said:
There is no distinction between V3, V4, and V5 signatures resp. keys.
However, GnuPG computes the hash in function hash_public_key() for V5
keys in a different way: starting with octet 0x9a and a four-octet
length is given before the body of key packet is hashed.
That is because 12.2 (Key IDS and Fingerprints) has
A V4 fingerprint is the 160-bit SHA-1 hash of the octet 0x99,
followed by the two-octet packet length, followed by the entire
[...]
A V5 fingerprint is the 256-bit SHA2-256 hash of the octet 0x9A,
followed by the four-octet packet length, followed by the entire
I think it makes sense to keep the signature computation in sync with
the fingerprint computation. Using the four-octet length and thus 0x9a
is important because it remove ambiguities if the key material is larger
than 2^16.
Thus, either this part should be specified in RFC 4880bis with more
I would prefer to fix this flaw in rfc4880bis 5.2.4 (Computing
Signatures):
-When a signature is made over a key, the hash data starts with the
+When a V4 signature is made over a key, the hash data starts with the
octet 0x99, followed by a two-octet length of the key, and then body
-of the key packet. (Note that this is an old-style packet header for a
-key packet with two-octet length.) A subkey binding signature (type
-0x18) or primary key binding signature (type 0x19) then hashes the
-subkey using the same format as the main key (also using 0x99 as the
-first octet). Primary key revocation signatures (type 0x20) hash only
-the key being revoked. Subkey revocation signature (type 0x28) hash
-first the primary key and then the subkey being revoked.
+of the key packet; when a V5 signature is made over a key, the hash
+data starts with the octet 0x9a, followed by a four-octet length of
+the key, and then body of the key packet. A subkey binding signature
+(type 0x18) or primary key binding signature (type 0x19) then hashes
+the subkey using the same format as the main key (also using 0x99 or
+0x9a as the first octet). Primary key revocation signatures (type
+0x20) hash only the key being revoked. Subkey revocation signature
+(type 0x28) hash first the primary key and then the subkey being
+revoked.
PS. Taking the above issue into account the given V5 sample key is
recognized by LibTMCG as required:
Thanks for testing.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp