Ensure that hashed data streams cannot collide across versions (!220) · Merge requests · openpgp-wg / rfc4880bis

Daniel Kahn Gillmor requested to merge signature-version-invariant into main Nov 19, 2022

This is change ensures that a v5 signature can't be trivially repurposed to form a valid v3 signature over a subtly different data stream. Thanks to @DemiMarie for noticing this problem.

We do this by reverting the change of making the v5 trailer end with 8 octets, instead it ends with 4 octets. This keeps the sentinel octet in the same position as it was for v4 (and blocks it from looking like a v3 signature).

The series of changes also updates the sample v5 certificate and key, and adjusts the description of the hashed data stream for the signatures in that certificate.

It also adds some text to warn anyone defining a new version of a signature so that they don't run into this aliasing concern.

Closes: #130 (closed)

Edited Feb 04, 2023 by Daniel Kahn Gillmor

Ensure that hashed data streams cannot collide across versions

Merge request reports