GNOME Bugzilla – Bug 555205
creates all-capable PGP keys when it should create Sign-Only keys
Last modified: 2009-10-11 01:03:55 UTC
[ forwarded from http://bugs.debian.org/501085 by Daniel Kahn Gilmor ] When creating a new OpenPGP key, seahorse sets all capabilities on the key (Encrypt, Certify, Sign, Authenticate) even though it claims to create Sign-Only keys. To reproduce from a bare account: * launch seahorse * Key | Create New Key | PGP Key * enter bogus name/address/comment data (i've been using: "Test User (DO NOT USE!!!) <test@example.org>") * expand "Advanced Key Options" * set "Encryption Type" to "RSA (sign-only)" * choose a password. * examine the flags of the resulting keys: gpg --with-colons --fixed-list-mode --list-keys 'Test User' | grep '^pub:' | cut -f12 -d: If the key was really "sign-only", the output should be marked either "sS" (Sign) or "scSC" (Sign and Certify). instead, i get "escaESCA" from the above output. This is bad, because it makes it difficult for users to separate the various capabilities across keys and subkeys. Keeping capabilities separated between keys is a useful "defense in layers" technique which allows users to rotate subkeys at different intervals, and to transfer more-sensitive keys into more secure storage.
*** Bug 539532 has been marked as a duplicate of this bug. ***
Created attachment 142563 [details] [review] Adds "Key-Usage: sign" line to --batch standard input It took some digging [1], but this is actually really simple to fix-- this patch makes sure Seahorse sends the line "Key-Usage: sign" to GnuPG when batch-generating a new key. Because without that, GnuPG defaults to adding usage flags for all RSA's capabilities, even though it's REALLY recommended not to use the same RSA key for encryption and signing, for security reasons. [1] http://lists.gnupg.org/pipermail/gnupg-users/2007-February/030330.html
Created attachment 142597 [details] [review] Add "Key-Usage:" and "Subkey-Usage:" lines to --batch input
Created attachment 142850 [details] [review] Add Key-Usage flags to new keys (Right, forgot to format it with the git commit message)
Does this patch work with GnuPG versions prior to 1.4.10? Or is "Key-Usage: sign" a new 1.4.10/2.0.12 feature that would break on earlier versions?
It's definitely not that new-- it's mentioned in gpg-1.4.6's /doc/DETAILS at least. I think it's always been a part of that XML format.
Cool. I checked doc/DETAILS in gnupg 1.2.0 as well, and these fields are there. This patch no longer applies. Other than that, looks good to go in.
Created attachment 145224 [details] [review] Updated patch that applies to master This one should work again.
Thanks nobled. Committed. Tested by generating a 'RSA (sign only)' key. Josselin, could you test this as well, to make sure it fixes the bug for you. commit 9065861cdb314a6351fe241145c73436f9252a8f Author: nobled <nobled@dreamwidth.org> Date: Sat Oct 10 16:27:24 2009 -0400 Set usage flags during unattended key generation Add lines for "Key-Usage:" and "Subkey-Usage:" to the standard input to `gpg --batch --gen-key`, as documented in GnuPG's doc/DETAILS. Closes: bgo#555205