On Mon, Nov 21, 2016 at 11:31:26PM +0100, Ignat Korchagin wrote: > On Mon, Nov 21, 2016 at 6:56 PM, Jon McCune <jonmcc...@google.com> wrote: > > On Mon, Nov 21, 2016 at 6:45 AM, Daniel Kiper <dki...@net-space.pl> wrote: > >> > >> On Fri, Nov 18, 2016 at 12:00:08PM +0000, Ignat Korchagin wrote: > >> > Reposting this, as requested by Daniel and rebasing on current tree. > >> > > >> > Currently GRUB2 verify logic searches PGP keyid only in unhashed > >> > subpackets of PGP signature packet. As a result, signatures generated > >> > with > >> > GoLang openpgp package (https://godoc.org/golang.org/x/crypto/openpgp) > >> > could > >> > not be verified, because this package puts keyid in hashed subpackets and > >> > GRUB code never initializes the keyid variable, therefore is not able to > >> > find "verification key" with id 0x0. > > > > > > I think it would be wise to include a brief argument citing the OpenPGP RFC > > that this change is compliant. Compatibility with an existing implementation > > is valuable, but let's make sure the appropriate code is being changed. (I > > haven't looked carefully myself.) > > > > Thanks, > > -Jon > > > > > > This change is compliant with RFC 4880. According to p 5.2.3 only > "Signature Creation Time" subpacket "MUST be present in the hashed > area". All other subpacket types may be present either in hashed or > unhashed areas. Currently, GRUB assumes, that the "Issuer" subpacket > is in unhashed area (by default put there by gpg tool), but other PGP > implementations like (https://godoc.org/golang.org/x/crypto/openpgp) > may put it in the hashed area.
Please add this to commit message. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
