Your message dated Sat, 30 Nov 2024 12:19:33 +0000
with message-id <[email protected]>
and subject line Bug#1087821: fixed in gnupg2 2.4.7-1
has caused the Debian Bug report #1087821,
regarding gpg: rewrites some Ed25519 OpenPGP signature packets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1087821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087821
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gpg
Version: 2.4.6-1
Severity: normal
Control: forwarded -1 https://dev.gnupg.org/T7403
the version of gpg in experimental (2.4.6-1) currently rewrites OpenPGP
signature packets if they're made with Ed25519, and they have less than
256 bits in either R or S. It rewrites them to a form that is in
contravention of every OpenPGP RFC (and the LibrePGP Internet Draft as
well), because the high bit of R or S is cleared, but the MPI length
octets are malformed. Signatures of this structure are likely to cause
crashes in some other OpenPGP implementations.
2.2.45-2 (in unstable) does not have this misbehavior. In fact,
2.2.45-2 corrects malformed MPIs so that they are correctly formed.
This means that OpenPGP certificates ("transferable public keys" or "key
blocks") will actually be rewritten each time they are exchanged between
2.4.6 and 2.2.45, which is deeply weird. We should avoid introducing
the kinds of malformed output produced by 2.4.6 into the larger OpenPGP
ecosystem.
--dkg
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.4.7-1
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Nov 2024 11:49:02 +0100
Source: gnupg2
Architecture: source
Version: 2.4.7-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1087821
Changes:
gnupg2 (2.4.7-1) experimental; urgency=medium
.
* New upstream version.
+ Drop cherry-picked patch.
+ Fixes change of binary representation of Ed25519 OpenPGP signature
packets on export/import. Closes: #1087821
Checksums-Sha1:
3e62eb792ae753a5fb01920bf4fcfbeef1179255 3944 gnupg2_2.4.7-1.dsc
2d510a1a7294f2f9ef3f2e280c93c3ad9b0cdb68 8010244 gnupg2_2.4.7.orig.tar.bz2
7453e18066fa028a1daafc2d9924453c17665452 390 gnupg2_2.4.7.orig.tar.bz2.asc
dc4da90b503dff9a9af49315faebfe5dca00baa3 75612 gnupg2_2.4.7-1.debian.tar.xz
Checksums-Sha256:
4f39955167d75d101c881aa1c48eb936db5243675c0cc5c8e8fcc06673a7443b 3944
gnupg2_2.4.7-1.dsc
7b24706e4da7e0e3b06ca068231027401f238102c41c909631349dcc3b85eb46 8010244
gnupg2_2.4.7.orig.tar.bz2
cec7da75dab60e3e2f6bf92ed1174126a1e5a1cc5e448f9e004a23be2dd227f6 390
gnupg2_2.4.7.orig.tar.bz2.asc
a764b799b5d5d6efc243f7f58d981e4584682eb9ef3086c0a7767a2a44b25658 75612
gnupg2_2.4.7-1.debian.tar.xz
Files:
46646c1d23be55b7950c0c83f182566c 3944 utils optional gnupg2_2.4.7-1.dsc
59ec68633deefcd38a5012f39a9d9311 8010244 utils optional
gnupg2_2.4.7.orig.tar.bz2
4cae56afaabcfaf30e3be417953638cc 390 utils optional
gnupg2_2.4.7.orig.tar.bz2.asc
a33ce6b3d9ab690de25188ae888ec0ee 75612 utils optional
gnupg2_2.4.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmdK/UoACgkQpU8BhUOC
FITzmw//T0ymIdrbX8iWAsGZFvHt+SCF44E7TzfWLRLx1QNdP016NUqcyG9DyMKy
MKg/QFSoB51Yv9nmD7hKK0a0soFQ5CgSJmsZlqDMH4NLTjGGUih87d6TdmRmrzVQ
MBeG7oO8C6P60LBrXQyx5VCnBZ73JGu2oLtd+eaj+7Mcz1p6ESLibJM6cjXicEqc
2EjoUYul373ugB6D4MA+OwLN/URD6u0NmtjJ+E7cace/xacNHl8jVIdmJBL9KfPQ
k/qV/VNAaPzRYD6w19Ftuf3JUoCRUo3elMSMH38F+G7N1rLDLe9Aeal7DmqexF9C
yIKaWOk9CMHZqJeHBz/85L3UwfSxPl26VFg/vMVO9rNQtxhQgyvy7guZmaLO5tMm
+RAHSd+IzN6sBqn68hwcFPRW7A9gVn4q0c5mBv22MPPhAy4Hl9UWkfIp/kWwNHJb
89c7tOiOeIhS5gLLfsw/R4FzNRNOHBuod2MpwZxFQCwv+0Z1yuobV90f5s7U0/ai
X0HTh8lLeMW+l5bMZnv38n4+ms1iTK1blNMj2dEkHK0XzXJrXQokKWOZ8EqoQ6eW
t2NclaqZop66s9lPRce7mzyrfuKqGOtcmPVFCioEP2F08nOIKrtE1hBNWRQadY5U
qcQiREe4r9F6Yfjblsm03WcyuaDpEt96Ou3F1C560lBHoA2gVkA=
=eet3
-----END PGP SIGNATURE-----
pgpXFvLCa6pn1.pgp
Description: PGP signature
--- End Message ---
