-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature not verified when signing using an OpenPGP card #2688
Comments
I see this here as well (step 1 to 4), running latest git version on Android 9. Didn't try steps 5 to 7 though. |
Is this issue also happening without external hardware? |
If I understand correctly the OP steps 5 to 7, I'd say no. |
No, only with hardware token for my tests. |
I've just discovered that the signature is verified correctly in mutt , even when generated by a key on a hardware token. This means that the contents of the signature is ok, it must be some formatting issue somewhere which disturbs Thunderbird. |
The signature is indeed valid, I can also use gnupg to verify for signed and encrypted messages, they also worked on mailbox.org. The issue is that when the signature is created with a smart card, it cannot be verified on Thunderbird, ProtonMail, Mailvelope, which all uses OpenPGP.js for PGP. |
Could this be related somehow to bug #2333 ? I mean, it would be the same issue, which was worked around in GPG, but which causes issues on Thunderbird ? |
After further debugging, I'm pretty sure this is it. A signature generated from a "local" key in OpenKeychain will be like this:
A signature generated from a key inside a hardware token will be:
Notice the difference in the length of the subpkt 28. The len 19 packet contains "openpgp42@gmail.com", whereas the len 33 packet is "Stelian Pop openpgp42@gmail.com" Everything else seem to be identical. |
I was wrong. I have modified OpenKeychain to put only the email address into the Signer's User ID field, but it still fails to verify on Thunderbird. The error is reported in the logs as:
|
Can someone please share one signature that gives issues, and the public key? Then I can check the exact error returned by OpenPGP.js |
I attach them. ZIP password is |
Wrong ZIP password @dingwen07 :) |
Probably because of the encryption algorithm, anyway following is an unencrypted one. SHA1: |
I have done some extra debugging, and I think (emphasise on this, because I was wrong before...), that the problem is really in those two "lbits", which in fact are called "fingerprint" in OpenKeychain/bouncycastle terms, and which are supposed to be the first two bytes of the unsigned hash (see extern/bouncycastle/pg/src/main/java/org/bouncycastle/openpgp/PGPSignatureGenerator.java, around line 280) I traced the low level exchanges and I can confirm that the two bytes in the final signature are NOT the first two bytes of the unsigned hash. RNP catches this, while I suspect gpg doesn't even check those two bytes, only the signed hash which is OK. I'm trying to debug further and see why OpenKeychain generates the signature with the wrong two bytes fingerprint, but the data flow is still unclear to me (hash and signedHash are ok in SecurityTokenOperationActivity.java, but I'm not sure yet how this result is returned back and converted into the final signature). |
The previous code used java.security.MessageDigest.digest() more than once, which is incorrect because the digest is reset after each call. This made OpenKeychain generate invalid signatures when using a hardware token: the two bytes called "fingerprint", which are supposed to be the first two bytes of the unsigned digest, were incorrectly filled inside the signature. Some tools do not check this fingerprint, only the signed digest, so the signature was reported as valid. GPG is one of these tools. But some other tools (like OpenPGP.js which uses rnp) did check it, and reported an invalid signature, assorted with an error message saying "wrong lbits". Thunderbird is one of the users of OpenPGP.js This fixes bug open-keychain#2688
I was correct about the last assumptions about the digest being wrong. See explanation and fix in PR #2695 Thunderbird does show a pretty green PGP tick now ! |
Fixed in current master. |
A fix has been released in 5.7.5 |
When using FairEmail or K-9 Mail to create a signed (signed and encrypted or signed only) e-mail, the signature of the e-mail cannot be verified on the mail clients using OpenPGP.js (Thunderbird 78, ProtonMail, Mailvelop tested). This is not a problem with OpenPGP.js, because signed emails sent via GpgOL can be verified on OpenPGP.js. Moreover, if the OpenPGP card is not used when signing, the problem will not arise.
Expected Behavior
The signature is verified on all clients
Current Behavior
Signature created using OpenPGP card is not verified on OpenPGP.js based clients
Steps to Reproduce (for bugs)
Context
Your Environment
The text was updated successfully, but these errors were encountered: