ECC signature validation failure

[txr13]

Windows 7 Ultimate x64 SP1 Office 2010 Professional Plus GPG4Win 2.2.1 .NET Framework 4.5.1

I'm attempting to verify signed / encrypted email sent to myself from another machine. All emails are sent using Inline PGP, text only.

When sending from Enigmail 1.7 (using GPG4Win 2.2.1), signed messages give the above error message. For encrypted messages, I must enter the passphrase, and then I get the above error message. The email is not decrypted.

When sending from iPGMail 2.6.3, signed messages give the above error message. For encrypted messages, I must enter the passphrase, and then I get "invalid header encountered". The email is not decrypted.

[Meddington]

Currently OPP does not support ECDSA. Marking as enhancement request.

[txr13]

After installing BETA 44 for the fix from issue #30, the message "unknown signature key algorithm: ECDsa" is also present when trying to send any outbound email. This is true even when trying to send unsigned email, even when the option "Encrypt to self" is deselected.

[Meddington]

ECC is not supported at all currently.

The underlying OpenPGP crypto library I'm using has ECC primitives, but they are not included in the OpenPGP support. Nor does the stable branch of gpg have ECC support. So currently it is not possible to install a version of gpg4win that has ECC support allowing for key management functions. At least not that I'm aware of.

[txr13]

Does your code read/process all the signatures on a key?

I ask because my key is an RSA key, and mostly has signatures from other RSA keys on it. However, it has also been signed by at least two ECC keys on multiple UIDs. (The party in question was using a self-compiled version of GPG beta, specifically to enable ECC support.) I expect that there are at least six ECDsa signatures on my key, though my key itself is RSA. And now that I think about it, there's no way I would expect my RSA key to be creating ECDsa signatures...

When trying to work with that signing party's keys, I've come across algorithms 18 and 19 (as reported by GPG, since it didn't know what to make of them). On referencing the OpenPGP spec, I saw they were ECC and ECDSA algorithms. So might it be possible to simply check for and then ignore signatures that use a currently-unsupported algorithm, rather than essentially failing on all operations using a supported key that has been signed by unsupported algorithms?

[Meddington]

the error your seeing is generated by the OpenPGP library I'm using and not my code. However, I did find the release candidate for the next version of the library has ECC support. I've upgraded to that new version, so hopefully this will be fixed in BETA-45.

[txr13]

Tested with BETA-46. Issue is partially fixed.

Encrypted/unsigned message - decrypted OK. Unencrypted/signed message - verified OK. Encrypted/signed message - decrypted OK, failed verification. (Invalid signature from "Missing Key" with KeyId XXXXXXXX.).

It seems very odd that I can verify the signature on an unencrypted message, but not on an encrypted message. Testing the encrypted/signed message with gpg command-line decrypted and verified the signature correctly.

When sending outbound, encrypted/unsigned and unencrypted/signed emails were processed successfully by the receiver. The encrypted/signed email failed its signature verification, but again gpg processed it successfully, so that failure is on the receiver end (not OPP's fault).

[Meddington]

Okay, thanks for the update. I'm going to guess this is a bug in the OpenPGP library I'm using. If I have a chance I'll try to verify.

[Meddington]

Please give this a shot again with the latest builds. This may be related to selecting the wrong key to perform enc/sig with.

[Meddington]

In the latest beta 55 release there is an option to enable debug tracing in the settings. Set this option then restart outlook and re-create the issue. Then please email or inline the content of %appdata%\outlookprivacyplugin*.txt