Githubs web-flow OpenPGP signatures and key are in incorrect format

[JanZerebecki]

I noticed that the OpenPGP/GPG/GnuPG signatures that Github makes on commits and tags and the associated key are in an incorrect format. This is currently being discussed in the IETF OpenPGP WG: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/209

Can anyone tell us if the OpenPGP implementation that Github is using is used anywhere else? Is the source available anywhere?

---

Some information copied here for context:

I extracted the signature from the commit containers/podman@242639f .

0x800 bits are 256 bytes, which we see. However, the first octet, 0x13, contains only five bits if you strip the leading zeros. Therefore, the correct MPI length is 0x7fd.

Below is the dump of the signature. Also see the analysis of the key in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/209#note_1044594616 .

> sq verify --signer-cert github.pubkey --detached sig.asc.txt data.txt 
Error: Malformed Message: Malformed OpenPGP message
> sq packet dump -x sig.asc.txt
Unknown or Unsupported Packet, new CTB, 3 header bytes + 284 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in    10011 (13)
  
    00000000  c2                                                 CTB
    00000001     c0 5c                                           length
    00000003           04                                        version
    00000004              00                                     type
    00000005                 01                                  pk_algo
    00000006                    08                               hash_algo
    00000007                       00  10                        hashed_area_len
    00000009                              05                     subpacket length
    0000000a                                 02                  subpacket tag
    0000000b                                    62 e0 04 67      sig creation time
    0000000f                                                09   subpacket length
    00000010  10                                                 subpacket tag
    00000011     4a ee 18 f8 3a fd eb  23                        issuer
    00000019                              00 00                  unhashed_area_len
    0000001b                                    a2               digest_prefix1
    0000001c                                       c7            digest_prefix2
    0000001d                                          08 00 13                ...
    00000020  03 b1 9b c2 66 38 8f 89  5c 6f 41 55 42 49 f7 cb   ....f8..\oAUBI..
    00000030  13 35 31 21 67 3a af 20  77 ef 4c cb fa ac e4 ac   .51!g:. w.L.....
    00000040  12 12 66 65 62 76 42 79  4b 1b e5 65 0e 7f 60 18   ..febvByK..e.`.
    00000050  ac 92 94 9f 2d de d8 f0  d4 62 55 d7 e9 6c 2d 56   ....-....bU..l-V
    00000060  f1 7e 10 b2 85 c3 7b 77  71 28 4b 83 50 cc 71 e3   .~....{wq(K.P.q.
    00000070  ba 29 a4 d4 3d 0b ce 2e  a2 c6 90 8e 9c f8 75 e1   .)..=.........u.
    00000080  94 fd 3c 16 fc 78 d6 7b  63 bd c7 df 9f cf 16 42   ..<..x.{c......B
    00000090  00 cb ab 18 4b 5c e5 0d  82 39 a0 59 65 c3 13 1a   ....K\...9.Ye...
    000000a0  87 ba c9 6a 15 ef 03 d9  06 27 2e ff 2a 66 a1 df   ...j.....'..*f..
    000000b0  54 27 8c 23 8c cc 2e af  63 88 e3 e9 93 63 be 18   T'.#....c....c..
    000000c0  c0 0c 42 d1 c2 6c cb e1  28 d3 66 53 19 07 2e 3e   ..B..l..(.fS...>
    000000d0  8d 89 95 2f b0 bf 83 4d  0b 0f 09 74 a0 c9 60 ea   .../...M...t..`.
    000000e0  dc 99 67 7a 36 e7 5d a6  88 46 13 c6 3a ce c8 fc   ..gz6.]..F..:...
    000000f0  4f e8 7f 87 22 fc 85 89  6f 90 e9 ac 3b f9 83 51   O.."...o...;..Q
    00000100  1e a0 0e 35 23 3d f7 bd  a7 f2 54 30 b2 ef c1 5a   ...5#=....T0...Z
    00000110  91 fc 9d cc 3c dc 3c 15  ad e8 19 ac a5 6c 79      ....<.<......ly

> cat sig.asc.txt 
-----BEGIN PGP SIGNATURE-----

wsBcBAABCAAQBQJi4ARnCRBK7hj4Ov3rIwAAoscIABMDsZvCZjiPiVxvQVVCSffL
EzUxIWc6ryB370zL+qzkrBISZmVidkJ5SxvlZQ5/YBiskpSfLd7Y8NRiVdfpbC1W
8X4QsoXDe3dxKEuDUMxx47oppNQ9C84uosaQjpz4deGU/TwW/HjWe2O9x9+fzxZC
AMurGEtc5Q2COaBZZcMTGoe6yWoV7wPZBicu/ypmod9UJ4wjjMwur2OI4+mTY74Y
wAxC0cJsy+Eo02ZTGQcuPo2JlS+wv4NNCw8JdKDJYOrcmWd6NuddpohGE8Y6zsj8
T+h/hyL8hYlvkOmsO/mDUR6gDjUjPfe9p/JUMLLvwVqR/J3MPNw8Fa3oGaylbHk=
=fT/+
-----END PGP SIGNATURE-----

[andrewgdotcom]

This issue affects not only signatures made over commits, but the self-signatures on the key. It is also not the only issue - importing this key into go-crypto fails because the digest prefix is set incorrectly on the self-sigs (sequoia and gnupg do not check this but other implementations do). It is reasonable to assume that digest prefixes are set incorrectly on all other sigs.

[dkg]

In the OpenPGP Working Group meeting at IETF 114 today, this consumed a bit of time and discussion.

This divergence from standards is likely to cause problems for the OpenPGP community (i'm a co-chair of the OpenPGP WG).

It would be great if Github could:

• Correct the OpenPGP certificate published at https://github.com/web-flow.gpg by correcting the MPI of the self-sig. Here is the fixed certificate: github-webflow-fixed-certificate.pgp.txt (its diff is just:

--- web-flow.gpg	2022-07-29 13:43:15.566983574 -0400
+++ github-webflow-fixed-certificate.pgp.txt	2022-07-29 13:19:37.711800616 -0400
@@ -7,11 +7,11 @@
 buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
 yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
 b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
-BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
+BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf
 DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
 +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
 j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
-=HXDP
+=HsBQ
 -----END PGP PUBLIC KEY BLOCK-----

• fix future signature generation to produce valid MPIs (if you can point to the code that is generating these signatures, i'd be happy to supply a liberally-licensed patch).

If those two steps can be done, that would solve everything going forward!

Subsequently, you might want to retrospectively fix signatures that have already been issued. I think that can be done without breaking anything, but i'm not entirely sure -- I'd be happy to talk with anyone on your team who is looking into that to try to help figure out the details.

[dkg]

if the signature is on a terminal element, like a tag or the tip commit of a branch, it can be fixed. if the commit is part of a history, then i agree it can't be safely fixed.

there's nothing wrong replacing the OpenPGP certificate. implementations that don't like the malformed self-signature will ignore it, while accepting the corrected one. implementations that are fine with both will just see a duplicate self-signature, which isn't a problem.

[JanZerebecki]

if the signature is on a terminal element, like a tag or the tip commit of a branch, it can be fixed.

While history could be technically changed, it should not be changed even for the tip or tags, as people could have already fetched these, so it would lead to a lot of work. A history rewrite looks the same to git clients independent of depth, even if it is only the tip or tags.

For example, every software based on Sequoia will import the update and incorporate the corrected signature.

With sq patched with https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1341 it doesn't update the key, which is similar enough to how the discussion went on what the spec should require:

> sq keyring merge -o sq-keyring.pgp github.pubkey 
> sq keyring merge -o sq-keyring2.pgp sq-keyring.pgp github-webflow-fixed-certificate.pgp.txt 
> sq keyring list sq-keyring.pgp 
0. 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23 GitHub (web-flow commit signing) <[email protected]>
> sq keyring list sq-keyring2.pgp 
0. 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23 GitHub (web-flow commit signing) <[email protected]>
> cmp github.pubkey github-webflow-fixed-certificate.pgp.txt 
github.pubkey github-webflow-fixed-certificate.pgp.txt differ: byte 39, line 3
> cmp sq-keyring.pgp sq-keyring2.pgp && echo true
true

[dkg]

i should be clear that the fix above for the github certificate is just for the MPI framing issue -- @andrewgdotcom suggests that there is also a problem with the leading two octets of digest in the signatures, but i haven't investigated or tried to fix that .

[harrycguo]

@dkg would you have any resources on how to fix the two octets of the digest in the signature? We were wondering if there was an easy way to just change the 0x9901 to 0xc2c0 as well as the CRC - would that solve the issue? Or is there some other things we need to fix as well?

the sq verify tool gives the following output:

Public-Key Packet, new CTB, 3 header bytes + 269 bytes
    Version: 4
    Creation time: 2017-08-16 15:44:01 UTC
    Pk algo: RSA (Encrypt or Sign)
    Pk size: 2048 bits
    Fingerprint: 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
    KeyID: 4AEE18F83AFDEB23
  
    00000000  c6                                                 CTB
    00000001     c0 4d                                           length
    00000003           04                                        version
    00000004              59 94 68 41                            creation_time
    00000008                           01                        pk_algo
    00000009                              08 00                  rsa_public_n_len
    0000000b                                    b3 5d 30 ed e9   rsa_public_n
    00000010  99 f2 69 5b 6e 79 90 12  07 38 27 02 62 b5 de af
    00000020  54 ae 07 21 fa c2 98 78  88 5d ca 68 ee 31 0b 5a
    00000030  c7 5e 4e 92 57 2d 9a b6  6d aa b7 b9 93 03 d4 a2
    00000040  c1 b7 fc 1d bf 8a 4b 8f  60 49 5c 1e 01 8f 2f 8b
    00000050  8b e4 49 ba 4b 90 bf a2  8c df 91 8c e1 c1 1a d3
    00000060  49 0c ef 62 3b 04 e0 8d  f8 4e 8e 14 74 4f 4a 03
    00000070  de f0 ad 08 c6 a3 3d 81  c7 bd 96 0c bc 96 c1 cb
    00000080  43 dc 32 90 b5 87 87 5e  cc 17 5e d5 f0 29 f8 d0
    00000090  ec 5c b8 f8 17 f9 20 f8  7b e9 d0 3c 34 9e 94 b6
    000000a0  38 cb 20 39 4a a9 dc 4b  5b 86 ad 1d ee b1 58 56
    000000b0  89 f9 77 4b 52 db 00 ae  86 5c 5c 17 96 0c 23 da
    000000c0  6e e5 c2 0e c7 09 70 b2  51 29 95 5c eb 68 0e 65
    000000d0  75 ed 3d fa 07 aa f5 0f  a7 79 ee 2c 0e 18 8c 7f
    000000e0  5b a6 16 eb 31 63 1f f3  5d 16 c7 3f 49 4d dd ef
    000000f0  c9 68 06 a8 d6 34 cd b0  6a 79 9a 06 bf e4 ee 13
    00000100  19 51 1d 3f 00 48 61 52  f5 25 43
    0000010b                                    00 11            rsa_public_e_len
    0000010d                                          01 00 01   rsa_public_e
  
User ID Packet, new CTB, 2 header bytes + 53 bytes
    Value: GitHub (web-flow commit signing) <[email protected]>
  
    00000000  cd                                                 CTB
    00000001     35                                              length
    00000002        47 69 74 48 75 62  20 28 77 65 62 2d 66 6c   value
    00000010  6f 77 20 63 6f 6d 6d 69  74 20 73 69 67 6e 69 6e
    00000020  67 29 20 3c 6e 6f 72 65  70 6c 79 40 67 69 74 68
    00000030  75 62 2e 63 6f 6d 3e
  
Signature Packet, new CTB, 3 header bytes + 290 bytes
    Version: 4
    Type: PositiveCertification
    Pk algo: RSA (Encrypt or Sign)
    Hash algo: SHA256
    Hashed area:
      Signature creation time: 2017-08-16 15:44:01 UTC
      Issuer: 4AEE18F83AFDEB23
      Key flags: CS
      Primary User ID: true
    Digest prefix: 9901
    Level: 0 (signature over data)
  
    00000000  c2                                                 CTB
    00000001     c0 62                                           length
    00000003           04                                        version
    00000004              13                                     type
    00000005                 01                                  pk_algo
    00000006                    08                               hash_algo
    00000007                       00  16                        hashed_area_len
    00000009                              05                     subpacket length
    0000000a                                 02                  subpacket tag
    0000000b                                    59 94 68 41      sig creation time
    0000000f                                                09   subpacket length
    00000010  10                                                 subpacket tag
    00000011     4a ee 18 f8 3a fd eb  23                        issuer
    00000019                              02                     subpacket length
    0000001a                                 1b                  subpacket tag
    0000001b                                    03               key flags
    0000001c                                       02            subpacket length
    0000001d                                          19         subpacket tag
    0000001e                                             01      primary user id
    0000001f                                                00   unhashed_area_len
    00000020  00
    00000021     99                                              digest_prefix1
    00000022        01                                           digest_prefix2
    00000023           07 fe                                     rsa_signature_len
    00000025                 20 13 58  59 a2 da 8c 65 06 1d f0   rsa_signature
    00000030  02 cc 92 34 23 55 e0 83  df 0c 33 1e 87 a8 fc d1
    00000040  64 fb 72 0a 17 ed 5e f1  a8 93 b1 ad fa ea 3c 4b
    00000050  61 43 78 60 1c 89 bb 6f  93 0f 42 55 2b da af 94
    00000060  3c bd b6 b7 f2 3e 11 21  7a f5 bd 10 58 b1 52 30
    00000070  96 cc 4a 4f 81 5e 4b d2  8c 7f 6a f2 30 0e d3 df
    00000080  3a fe 94 a1 3d 5e 43 53  6b 0c c6 7c 78 2d f2 df
    00000090  1c d8 53 ce 35 ca a2 4c  2c fb ca 6d 27 cb a1 30
    000000a0  d2 03 5d f5 ee ce 46 47  23 1a 17 93 7a cd 72 30
    000000b0  cd e5 ce 57 fa c2 bc 50  14 47 d3 dd 81 20 95 82
    000000c0  39 f6 90 b7 bb fb c2 28  39 e1 16 b6 f2 93 3d 19
    000000d0  b1 ca 5d 53 71 99 d2 e9  08 5c b3 bf 23 2e 0a 62
    000000e0  0d 61 80 03 b0 2f 38 f1  04 05 17 09 dd e0 44 27
    000000f0  ba 9a 3a 42 f8 44 57 1d  4e 8f bc 03 c2 fb 87 e5
    00000100  d0 ab 2e e2 f0 b7 05 da  42 1d 28 9c 6e 39 f3 7a
    00000110  74 2c 69 ac d8 c7 f9 17  e2 1c 93 aa 3f e2 97 8e
    00000120  94 1a 19 cf 8f

[dkg]

@harrycguo, i'm not sure about the right tooling to make it easy to update the digest prefix octets, sorry. if 0xc2c0 is the right value for them, then yes you just want to swap that in for 0x9901 here, and then re-armor it to get the ASCII-armor CRC trailer correct. It would be great if someone could produce a tool that did this kind of canonicalization/cleanup automatically.

[dkg]

It would be great to get a response from someone at github about this!

[JanZerebecki]

I filed a ticket linking to this discussion from a paid org for this and on Aug 2, 2022, 8:15 AM UTC i received the following response: "Thanks for the report. I've asked the team for their input on this one. I can't promise an ETA for when we'll get an update, but we'll write back to you if there's any news to share."
I'll update when I get any further response.

[JanZerebecki]

Received an update in the ticket:

Thanks for your patience while the team have investigated and discussed this.

We were able to reproduce the problem, as described, using the "sq" tool. We worked to identify the root cause of the disagreement between signature creation and the sq tool and identified that sq reports the same errors using Go's OpenPGP implementation. We have included a sample Go project that reproduces the problem. Note that the issue is not deterministic. Depending on the resulting signature, sometimes Go creates a signature that sq believes is well-encoded, and other times it does not.

Therefore, we have concluded that the root cause of the signature creation issue is upstream in Go's x/crypto/openpgp package. We are investigating how we might be able to resolve the signature creation issue. If we are able to resolve the signature creation issue, we intended to address it for new signatures going forward.

We are continuing to research and understand the impact of fixing the key itself.

I take it you'll share this response in the public discussion?

I'm afraid our system is going to mark this ticket as "solved" now that the issue has been created with the engineering team, but that doesn't mean we've forgotten about it!

We'll be back in touch when we have any updates!

script.go.txt

---

I answered:

Thank you!

x/crypto/openpgp is marked deprecated ( golang/go#44226 ) but you can use https://github.com/ProtonMail/go-crypto as a replacement, which AFAIK does not have this issue.

Reply:

Yes, switching to a new replacement is one of the things still being discussed. I'll pass your recommendation for ProtonMail/go-crypto on to the team!

---

Notes when I quickly looked at this, I found this commit: sylabs/golang-x-crypto@374053e#diff-47e53358306da9dcb5ca7dd110d31067d11f231fc3baed4f51e4026e26b521bfL506 Context for author: https://latacora.micro.blog/2019/07/16/the-pgp-problem.html golang/go#44226 https://nitter.net/FiloSottile/status/1555677349621932032#m

[dkg]

that commit is distressing -- it's explicitly generating non-standard MPIs on the wire format in knowing contravention of the cited RFC, while acknowledging that these variations are likely to cause problems with reserialization ☹ Either Filippo and his reviewers weren't thinking about the impact on other consumers of these objects or they were aware and thought that those impacts were OK.

@JanZerebecki do you have any word about whether the github team has switched to a supported openpgp module?

[FiloSottile]

FWIW (and I'm reading that commit with no particular context as it was four years ago), I think that commit didn't introduce the spec divergence, just documented it, and it's saying that removing the variation would (also) cause problems since it would introduce a situation where a value gets parsed and reserialized into a different encoding (unless we start rejecting our own signatures produced by previous versions, which has its own issues). This kind of lose-lose-lose problems are part of why we deprecated the package and encouraged moving to a different one.

[JanZerebecki]

What prevents this from both retaining the same serialization for existing MPIs and creating new MPIs in the spec compliant way?

Yes there is a downside of carrying that state and more complexity, but I currently can't see why that would be an actual problem. That seems to me as not loosing from the point of view of OpenPGP users.

I have not yet fully written it down nor checked it for correctness, but I think safely dealing with the existence of keys and fingerprints with that differing representation is also possible without outright rejecting them. Though from my reading that was not a reason for why you talked about losing. One could always compute a mapping to both versions, the rounded up MPI representation and the spec compliant one, so revocations can be looked up in either representation. (Maybe there are more variants in addition to exactly rounded up to a byte in the wild, but few enough of them for this to work.)

[vaindil]

Hi there! I'm looking into this issue at the moment, though depending on our discussion I can't concretely promise that I'll be able to resolve the issue. I'll also add the caveat that I'm not an OpenPGP expert, I'm learning as I go.

I grabbed the signature from containers/podman@b0d7a3a, a commit from earlier today. sq verify reports that it's a good signature. I checked several other miscellaneous commits from other repos, and all are reported as good. Sequoia's packet dumper also reports no issues for these new signatures, whereas it does report issues for older ones.

Our commit signing key was rotated in January, and there have been several other security updates to our internal services in the past few months that may have fixed this issue. Is this still a problem? If it is, how would you recommend I test it (since sq verify reports everything is okay)?

[teythoon]

Hi :)

I just verified that the issue is still there. There is a chance that the signature is correctly encoded, so you need to look at a few of them.

I have a test repository here, and created four commits today (simply by editing the file using the web gui). By chance, the first commit was good, the next three were bad:

$ git clone https://github.com/teythoon/test-signed-commit
$ cd test-signed-commit
$ git log --no-show-signature --pretty=oneline | while read commit message ; do echo $commit $message ; git cat-file -p $commit | sed s/gpgsig// | sq dearmor | sq packet dump ; done
aa56919b50398a652b4b6e6b9b3a6cbcf90703dc Update README.md
Unknown or Unsupported Packet, new CTB, 540 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in    11011 (1b)
  
3ab981dcf42579a4a584d78761e4b7085ec01e71 Update README.md
Unknown or Unsupported Packet, new CTB, 540 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in  1110100 (74)
  
7a090c071612fba30cc09a5ba6f6e458a66d9074 Update README.md
Unknown or Unsupported Packet, new CTB, 540 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in    10010 (12)
  
45157dbf8ebd8bd8e88d759d80871d903b21e441 Update README.md
Signature Packet, new CTB, 540 bytes
    Version: 4
    Type: Binary
    Pk algo: RSA
    Hash algo: SHA256
    Hashed area:
      Signature creation time: 2024-02-14 16:23:31 UTC
      Issuer: B5690EEEBB952194
    Digest prefix: AC72
    Level: 0 (signature over data)
  
6ca1db88ee8fff0af121441d7433b9eff4fbf515 Initial commit
Unknown or Unsupported Packet, new CTB, 284 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in    11010 (1a)