Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

choosing sigs among several with same creation time #1197

Open
tomholub opened this issue Jan 20, 2021 · 2 comments
Open

choosing sigs among several with same creation time #1197

tomholub opened this issue Jan 20, 2021 · 2 comments

Comments

@tomholub
Copy link
Contributor

Consider this key:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG v1.68

lQOYBGAIUhoBCADEnk3EACyTc/GVkwMI5MHls6oIlJT42qB2Wh6PF7FXpnS70hBq
ZLSC0N+UxCROf/EUxYq7wUpwVp63Pd4hVyn1ppf1XOJztluGiXDPkVR6fQMMYXeI
XnnJMcIBZLYYKUe+wMGMIz8oYzbU8dJHE8TCbsRukHtk5aFMTu1I+MCgq2jU/WVU
YMJHILMF/e0hKix1lZBDyhg2g47xhdRvJgmHX81CKjOC4Jt/vz26jW276+koIqUK
318EPBgYObsjEr7UcAKbOuUDbExZKdcgBCPswwcLaM7+kLBpvREYugyXlj2WT7la
QB2iHc3aBpeYbPJ3Fn2UyXSICQaOAaM+b0+3ABEBAAEAB/44AlRqyhXopzWhgzBx
HyEw+v4r1Y+eWEEvlbpwzrIBIvTL8Com9KsLPM8EBN/G0OFvJlq/427+E17BGkml
u7vDM4LELYKArejiqVJOfrrO7b+pjjZLzYXpz1fRp8vLlC7Q4v3/mqbKLYEYJg7d
mn8JWB5y1IuiEVvibfVgPSQ6YDnuZAbqxjxjrDa5d8pwFAuh+zkDrU5CY9Eoyuzi
+Y2+K4XTchC/BZbEm+oClUiuKHxgyrby8BobLvhxr/duH6eUpDX8Czcw71ceWlBn
+2fkh4JgnozKL/qED+I6URRE+GAEbaMT3f14HxyJvDcfZjwKEHhvSOPuzGCBI9dP
tcepBADallzOOiQ+2+dy02Do766rr42KlRVa+WG2MTOqsCeA0wh/Hx8e7ufRVOfK
czBZzDO9P2C6mEXIr87GxNsSD4MhzP9k9JNAIQXMb/bYGzB2o+sGPM1GeDpQsjaM
2Cv1VrHt9XgP3uAUkllxpPgRP5Wjto7UXDu788V6Jf5yYgJ2dQQA5kVY14NeWo5/
cKKHPfrYTMnw/7SECHTYaIhtZpAM040snjf/YYSfdIeVhoY+0wdbjKlLX8p4K0kZ
cWdweLJ9EHic1I150D3Ql9RyNuS99Ti52bl2uSAukgOY6jdSgG2giy9Hl0BCYls4
J1/z+q0SjbrVDEUqKi2pgtBqTZ9ZH/sEAOFllvNtcEi47+hVd1ue8GfDuMHK7wj0
dP6yQcS7DjooNLojlAQkrDWiIhR4ccvnr89e3k90HIfBP4dIJmfeEy2GG9fCDts1
QHdKErceQjorx68DvoYIKCMZwCeBJdXLdi8FVwBlNpyEgKslFaynAXcbc+YJGHz0
peLvIUiN7UyUP9u0FnRlc3Qta2V5QGZsb3djcnlwdC5jb22JATMEEwEKAB0FAmAI
UhoCGwMFFgIDAQAECwkIBwUVCgkICwIeAQAKCRD0UdEAqs7UMsghB/wP+jIT1oZG
gs+zrzNIfkANigHEja9yIwHJnXgU7zflfw5TKJyfZj0k54n9h2JPgoxvL4pk6xeb
m6MInCKjvHkoFle1bmYIAyadzLKWDyb+RfTNWn2NvdgBx8qp7sD1Tu0oVlpFMx6J
WPWa85Ap6saQKKDoi4gT7Zh5fWtU1mRsZO/l4BbB8hM2DfauyuSSYiQBSvtA1Fch
aI2WXImC7GKUysvutgKyWuGLaSCkRKCaYRcE2J4IjspFm6c85A9AsGh3dj3Ka9G/
sK3UF6BOyDXIufexUsYbMTI0f1pRBrj2NBQiiWPQkcd48Whp7fQEqKtpBCb7fIC8
UzlXFMKXmX7NiQEiBBMBCgAMBQJgCFIaBYkAAAu3AAoJEPRR0QCqztQy99AH/j/U
fuudZ004eNEFIo+OI522cv7AT1gxggnqSwfnQJPr+4rXf7w0/ggKZ6XsC+4BUeya
AHFvpFf/CPFNmwCcMGpGnt+nk3fghhTz+EBwB5f4ulAbgtuV69VD1FejkHo/j9Rx
lz0Dd+KD+S8jUBN4wMJGCnAUGp+S2fu1M0QstFR6B82NWy9uAmCaRJlKwrp99T+D
HBvdtVn3hS386jMqA7cv49W7fAZhqfwRQUp72Scx6H0XUQtwH1p3MZVEHPZrYfw6
kIYqW7uBbkS0CzTNJdV3D4wnDmknTspR0FDFoV4UnRjN/6++C5H2F+tK6Lcbh7np
157dUEMbG4PniEPw0qW0GXRlc3Qtc2Vjb25kQGZsb3djcnlwdC5jb22JARwEEwEK
AAYFAmAIUhoACgkQ9FHRAKrO1DJzGwgAkoGRfisfqz3/2N/oNw7G4xlG2xPgx5x6
mEXuwh7ITP5G69sCMBvduBeh511OiXrroEfSETTQgAtrPIIgRKw07NmWolddSEIb
7CrCpMsFmmas8m6iHSEqPrs+t6dyM9sXVU4bWhtQcDhKSYQSP4hz5/Zxajx4VncX
dld6i736Sook38KB87bCZgtt0ni3ClXDNuuAPNfazQ7s1sU7SfwO+KZHvH0f/Ubk
bi1JZxI7DZZDZnhB+wlvH5xJCO67mkrSBMYg5ZgIDymAdjGEVi/7LLQBX8gyYAz6
HNB7zNrW8vOa9j5NKk382HvYpxZRexsOMkVM9AequiYXJER18eBJjIkBIgQTAQoA
DAUCYAhSGgWJAAALtwAKCRD0UdEAqs7UMjxkB/4pcqeul3RrjpxkDwCsFdT9fwwE
65PfzlImPDKI8T4DUeKOBthc/v6F+zAqpmginqSFZRD48dzFQHXA5NU+P9fVf0JQ
P/P5tiGZv9xsGVpteAH+t/7OYNboafbBh1HDx+A+M44J9O6xDdI+qiRKjgo4SmWB
MxKS64Bde35lkesulujefWKpOw5j2Xg3vrt8mE+TDJpWJQ1fgt16mqgIkeqAQW5A
6lMxr7KEesXmPou98ZLBEJjXuzS0Yodjk5BnanooOk6FytXh1XTHuXW4vzc2gveK
ODF2YjMi+KxGi6yk1tIyUjgkaoCVDnjvU2eChr3Ij3TinBhyDHHSRW1kMULjnQOY
BGAIUhoBCADN0iMq+ZYNVW4vRJSvYEs9bFBS1tcyZfBtkbQ08kMexpoxLwW1l1cy
il+cSewU0WpLXSFOcJYaNfKiA0u4lMh5e2+H7eNvX3qpmoifmWO2lhmBopo3I5F0
2Kb+MS1795LtN7GHZQ9F1BGzG13FIUTCZiQwmJBKay4qTd7/GIr7U6x7JUkAqbcP
vbmPhM5ePLP1sTPyGtY7wgixCKKeifFHvQ79zMcErgiWuuS1LyMwv7awLPjVQtkO
rBOKb3zoMtFJrXfnXYajXpNgYsQ+ZcDvjdi8h83RahbQmSUinCR7VVi57kvKmIaZ
SSnlOuqCaPjvXQRdUYAdgyIMNz4eA53lABEBAAEAB/4orHyZL0oVN/sGmcu1TbcI
vCkyebT8x3LoQElHxlF32UEa86Mx8+a+POSwntYp9gmGu7CLjwnGw77/f928rCBj
C37qspsFxS1ZK4oQ2i//ovGG8hJ+T4fc+ryjkqXdr/sH6H/rlQ/b2ZEm30NcY9rx
/Nvtg5TONBijMRDewiOjD1cERLLBke6ohKv4teKxUEdEWYQnY2fEdaYxC4NzVgjK
Y2/F0MJrunJwZanI1lIuJF9avXTJTSt2qBWtmoSxmy0cyWGzSq+qw9Aa4uG4CDFL
b3ZibmeB2lZVUzam+GRbBGAezeKpqt2w7OlMaIfNqIRpP9vjGhDXlbe+CBk3hfY5
BADcjj7GxHlEc+1QqOi/TSVPcqVzlyUKQZ5o4yC2WslQoQgBs0lG1m01QbJ7dQIY
3iZ32PF/vK8I1/zqPykCFdRiL+dNFq2a89BmqVbenZbuyOmQX8b2pYa+yOH+dT3F
SV88fFa8gOJhnvB+qZJlc0yAOOe0868HeKTosuOaO09KKQQA7uWyPaj5myzfmHTM
HOtJ5O6PT86gj5QYut2cfAJV81c1BEC5RUbmTojS5lo4l+zXCRBe9UxYt2KtrBW1
l0SkJVfNIBLaRWMFKAWBMFye0lEBiMxMp5arXdkgAew/7hfrYmIXM70Y9Gat4KaD
mMmB3LDmBoylmbSQ/XdvI+fH5V0EAO1EtvBWUx56Ax0oyVMuNZxUanwdMedjfPyK
kwLq9I2+/O0bx1V30EfmRvhy+EJTx+uCEgY9Pv81f28z676XOUdLoEyKAzAb9PWW
giCrVbmAsFdu5qE87d88c0p6/dmx/DKPTpFkkEZl2We7OVSQOaECrXHYqudsE5ZI
LdetYlBhTQ2JATMEGAEKAB0FAmAIUhoCGwwFFgIDAQAECwkIBwUVCgkICwIeAQAK
CRD0UdEAqs7UMsc1CACTECMZFaevbj/xdD2FMk/BG0Ypyx/Kj1TzREGf2FGuqkMO
QqLNg1mOzDaDHr/tfMjj7wzR2Z5WuSm7aMz3gwhAXoMvo2JD5APbY+07FjP9Qmm4
b9DK9zQxHK17CiEV5dn3xSUKS1v6ffZcFoIsHT4LrX7y2ImH8VIurFhrNbXSmLJG
t1rxWpd+XgZjrX9MIxa2HGjNHdEIEdrtfqMDm4k13UAfanyU32dTVOt9U4f8fpKR
AaCSGWDH2v+Sbq179+br+3Zd53hcIQcNm2TSlDPQG0bki/vMlGFgjC82kXHtiXlo
OAbxxvjZ7ht0jfVAHWfNYglhtzaLEfcTPSz7LbQpiQE5BBgBCgAjAhsMBRYCAwEA
BAsJCAcFFQoJCAsCHgEFAmAIUhoFiQAAC7cACgkQ9FHRAKrO1DJ5hQf/Vg/PnrMU
441Yfz/kc4XNFUBrdaOUx2wVcPDtoAPpgu/J6s9ui34RrnVVWR1qu7t5SBbjvzug
raeQRKlxVkU/opDR4M1wI0HNA8QAret8amlV3brwOBQ5ZiZ26zp5B+TCVKOKXAH0
kxCw0Fi7jCELA6IGAoYwNzxuGyxD9JM9jSbheWx8/zDaXsU2i6MTXwNPDI5CQhIT
gKykGY95FjoGw9ULzX5UeWAOyNqRJAgji6o5FgDoKMH2/oqVG+eXmdv+ITNUtZG6
0VzfNOhjdx7Pvwcbx6PibnwLknpTaJZ987l/hswEGnmYJHDfkV3BYhTgRDDVJpRk
Zc6ss+6ha0gr2A==
=ioDh
-----END PGP PRIVATE KEY BLOCK-----

It has two signatures on it: older one which never expires, and newer one which does expire.

OpenPGP.js interprets that as never expires (following the sig with later expiration)

gnupg (and PGPainless) interprets that as expiring (following the sig with later creation)

From PGPainless developer:

Note, that the expiration time is regarding the key, not the signature.
If a key has two signatures, one without a key expiration time and one with a key expiration time, then the signature with the greatest signature creation time wins (the signature that was made later).

I would therefore argue that PGPainless is behaving correctly when expiring a key by adding a signature. If OpenPGP.js interprets the key that was expired using PGPainless as not expiring then I'd say this is a bug in OpenPGP.js.

I was trying to find relevant words in the spec, and here's what I found: https://tools.ietf.org/html/rfc4880#section-5.2.3.3

An implementation that encounters multiple self-signatures on the same object may resolve the ambiguity in any way it sees fit, but it is RECOMMENDED that priority be given to the most recent self-signature.

Originally discussed at pgpainless/pgpainless#55
@twiss
Copy link
Member

twiss commented Jan 20, 2021

OpenPGP.js does in fact select the newest signature if there is one, but both signatures in this key have the same creation time, so it's a bit ambiguous (OpenPGP.js currently selects the first one, but it's a bit arbitrary; we could change it by swapping a >= for a > if needed).

@tomholub
Copy link
Contributor Author

tomholub commented Jan 21, 2021
edited

Ah! That is ambiguous indeed. Thank you for looking into this!

OpenPGP sigs have a coarse signature time (one second increments). This was a key that was created and then another sig was immediately appended to it. We'll change this procedure to not cause this problem.

Long term, it may be reasonable enough to assume that, if the creation time is the same, the one that is later in the list is the "real" last. If nothing else, it would be consistent with at least one other major implementation.

@tomholub tomholub changed the title interpretation of several sigs with differing creation/expiration dates choosing sigs among several with same creation time Jan 21, 2021
@snyk-bot snyk-bot mentioned this issue Sep 15, 2021
Open
@snyk-bot snyk-bot mentioned this issue Dec 31, 2021
Open
@ekmixon ekmixon mentioned this issue Jun 21, 2023
Open
@adamlaska adamlaska mentioned this issue Jun 23, 2023
Open
@ekmixon ekmixon mentioned this issue Jun 23, 2023
Open
@ekmixon ekmixon mentioned this issue Dec 1, 2023
Open
@adamlaska adamlaska mentioned this issue Dec 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@twiss @tomholub