Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: only the first packet is considered for openpgp signatures with multiple signature packets #12242

Closed
SeanBurford opened this issue Aug 20, 2015 · 2 comments

Comments

@SeanBurford
Copy link

OpenPGP signatures can consist of multiple signature packets. It should be sufficient to trust any of those signatures provided you trust the signing key for that purpose.

go_crypto currently assumes an OpenPGP signature is a single packet

For example, Debian Release signatures contain multiple signature packets signed with Debian's legacy and current keys:

$ gpg --list-packets /tmp/Release.gpg
:signature packet: algo 1, keyid 8B48AD6246925553
    version 4, created 1429960298, md5len 0, sigclass 0x00
    digest algo 8, begin of digest e7 9f
    hashed subpkt 2 len 4 (sig created 2015-04-25)
    subpkt 16 len 8 (issuer key ID 8B48AD6246925553)
    data: [4096 bits]
:signature packet: algo 1, keyid 7638D0442B90D010
    version 4, created 1429960298, md5len 0, sigclass 0x00
    digest algo 8, begin of digest e7 9f
    hashed subpkt 2 len 4 (sig created 2015-04-25)
    subpkt 16 len 8 (issuer key ID 7638D0442B90D010)
    data: [4095 bits]
:signature packet: algo 1, keyid CBF8D6FD518E17E1
    version 4, created 1429960324, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 90 19
    hashed subpkt 2 len 4 (sig created 2015-04-25)
    subpkt 16 len 8 (issuer key ID CBF8D6FD518E17E1)
    data: [4094 bits]
@ianlancetaylor ianlancetaylor changed the title only the first packet is considered for openpgp signatures with multiple signature packets x/crypto/openpgp: only the first packet is considered for openpgp signatures with multiple signature packets Aug 21, 2015
@ianlancetaylor ianlancetaylor added this to the Unreleased milestone Aug 21, 2015
@ianlancetaylor
Copy link
Contributor

CC @agl

@agl agl self-assigned this Aug 22, 2015
@mikioh
Copy link
Contributor

mikioh commented Aug 29, 2015

Fixed by golang/crypto@2b8f097.

@mikioh mikioh closed this as completed Aug 29, 2015
@golang golang locked and limited conversation to collaborators Sep 4, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Nov 24, 2019
Fixes golang#12242

Change-Id: Ie40e84bc9e7db390219d85a7eddea99accb19cb8
Reviewed-on: https://go-review.googlesource.com/13781
Reviewed-by: Adam Langley <agl@golang.org>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants