Hi all,
On Fri, 02 Jan 2026 11:38:46 +0100,
Michael J Gruber wrote:
> Some fun facts and an idea:
>
> - Other implementations such as sequoia are affected by some of the
> bugs, too.
>
> - The demo at 39C3 downloads a fake Fedora 43 iso/sig and verifies it
> successfully (including sha256sum) against the official Fedora key. At
> least that's what it looks like on the CLI with an unpatched gnupg.
> [No, they're not blaming it on Fedora.]
The attack relies on gpgv and sq interpreting the checksum file one
way and sha256sum a different way.
The fundamental issue is the following. Fedora's verification recipe
instructs the user to use the signature to verify the checksum file,
and then to use sha256sum with the original checksum file to verify
the iso:
gpgv --keyring ./fedora.gpg Fedora-Workstation-43-1.6-x86_64-CHECKSUM
sha256sum --ignore-missing -c Fedora-Workstation-43-1.6-x86_64-CHECKSUM
This is wrong. sha256sum must use the verified data to verify the
iso. That is, something like:
gpgv --keyring ./fedora.gpg Fedora-Workstation-43-1.6-x86_64-CHECKSUM
--output - \
| sha256sum --ignore-missing -c
By passing the verified data (and only the verified data) to
sha256sum, sha256sum is guaranteed to only work with the intended
data.
Unfortunately, although the man page suggests that --output should
emit the verified data:
--output file
-o file
Write output to file; to write to stdout use -. This option
can be used to get the signed text from a cleartext or binary
signature; it also works for detached signatures, but in that
case this option is in general not useful. Note that an
existing file will be overwritten.
the above command does not work for me:
$ gpgv --keyring ./fedora.gpg Fedora-Workstation-43-1.6-x86_64-CHECKSUM
--output -
gpgv: Packet type 63 not allowed in detached signature
gpgv: no valid OpenPGP data found.
gpgv: verify signatures failed: Unexpected error
Sequoia does the right thing by default: it unconditionally emits the
verified data. Using sq, the command would be:
sq verify --cleartext --signer-file ./fedora.gpg
Fedora-Workstation-43-1.6-x86_64-CHECKSUM \
| sha256sum --ignore-missing -c -
This correctly detects the attack and is the behavior that the
researchers recommend in their write up:
To prevent confusion about the actual signed data, OpenPGP
implementations should output the data bound by the signature during
validation by default. sequoia-sq does so. GnuPG does not and
requires the --output option to be set.
https://gpg.fail/notsoclear
Unfortunately, the researchers did not make it clear in their
presentation that sq already does the right thing.
If you are interested in some more details, I've written them up here:
https://sequoia-pgp.org/blog/2026/01/12/202601-to-sign-or-not-to-sign/
As far as I can tell, gpgv cannot be convinced to do the right thing.
One approach would be to change the instructions to use sq. sq is
available in most Linux distributions:
https://repology.org/project/sequoia-sq/versions
One might argue that sq is not installed by default, but gpgv is.
This is currently changing. For instance on Debian, gpgv is no longer
installed by default, as apt switched to Sequoia.
Another approach would be to directly sign the iso instead of the
checksum file. The checksum file doesn't add much security anyway as
by default the checksum file is downloaded from the same potentially
untrusted server as the ISO. Further, the user should still use the
verified data, not the original file, which precludes gpgv.
Thoughts?
:) Neal
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
