Package: gpg Version: 2.4.6-1 Severity: normal Control: forwarded -1 https://dev.gnupg.org/T7403
the version of gpg in experimental (2.4.6-1) currently rewrites OpenPGP
signature packets if they're made with Ed25519, and they have less than
256 bits in either R or S. It rewrites them to a form that is in
contravention of every OpenPGP RFC (and the LibrePGP Internet Draft as
well), because the high bit of R or S is cleared, but the MPI length
octets are malformed. Signatures of this structure are likely to cause
crashes in some other OpenPGP implementations.
2.2.45-2 (in unstable) does not have this misbehavior. In fact,
2.2.45-2 corrects malformed MPIs so that they are correctly formed.
This means that OpenPGP certificates ("transferable public keys" or "key
blocks") will actually be rewritten each time they are exchanged between
2.4.6 and 2.2.45, which is deeply weird. We should avoid introducing
the kinds of malformed output produced by 2.4.6 into the larger OpenPGP
ecosystem.
--dkg
signature.asc
Description: PGP signature
