Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I could be missing something here, but I think this is vulnerable to DO'1985, a/a/k/a Desmedt-Odlyzko:
https://github.com/rpgp/rpgp/blob/8e67756ebce780c91b8c2ffc7d...
In particular, in the presence of an insufficiently wide hash, the absence of padding here means that RSA signature validation is not secure under EUF-CMA. Matt Green has a great post on why and when EUF-CMA matters[1].
(This isn't necessarily this implementation's fault, since PGP seemingly (!) encourages the stripping of padding from signatures. But I can't find another source for whether this is actually encouraged by OpenPGP, or whether implementations just widely allow it.)
[1]: https://blog.cryptographyengineering.com/euf-cma-and-suf-cma...
Yep. We've got it working with OpenPGP Card devices (Yubikeys, Nitorkeys, etc.). The signing part was actually pretty easy and the decryption required a bit more work but the maintainer was super responsive (https://github.com/rpgp/rpgp/pull/315).
Overall I'm pretty happy with the codebase.
The PoC for using cards in git is in https://github.com/wiktor-k/monkeybagel (excuse the silly name ;).
I agree that gpg did not age well. If we compare it to a different project with similar history: curl, it's apparent that gpg chose wrong on several fronts. It should be a library first instead of a cli tool. Funny part is that even the library of gpg (gpgme) is internally calling the binary.
I've played around with designing a higher level library to OpenPGP once (https://pypi.org/project/pysequoia/) and personally I think it yields more readable, faster and secure code.
Yep, I saw the upstream[1].
However, I misread this: I thought the padding was being done on the cleartext signing side, but this is padding of the signature itself. So there's some malleability here, but it isn't susceptible to DO'1985. I'll update my top-level comment.
[1]: https://github.com/RustCrypto/RSA/issues/272