Unable to recognise signature from same key which is recognised and verified by GnuPG

anjannath commented 1 year ago

Trying to verify a detached signature using the library fails with the following error, but it is recognised by GnuPG as a valid signature from the same key, am i using the method wrongly here?

openpgp: signature made by unknown entity

Following is the code i used to test this:

package main

import (
        "bytes"
        "fmt"
        "log"

        "github.com/ProtonMail/go-crypto/openpgp"
)

func verifyDetachedWithPubkey(msg, sig, pubkey string) error {
        keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(pubkey))
        if err != nil {
                return fmt.Errorf("failed to parse public key: %w", err)
        }

        if _, err = openpgp.CheckArmoredDetachedSignature(keyring, bytes.NewBufferString(msg), bytes.NewBufferString(sig), nil); err != nil {
                return fmt.Errorf("failed to check signature: %w", err)
        }
        return nil
}

func main() {
        // content of msg.txt
        msg := `a780aed82eea3a023b67247598f57ecf16c3d6fd80375cc3e2f1b564d2b9bc71  crc_hyperv_4.12.0_amd64.crcbundle
cbc75023e63fb33ce4a571ba2047c813acc04f68d6e51879e6a3b238913f54bb  crc_libvirt_4.12.0_amd64.crcbundle
d19c80e53f5c593908a09eb9b3f43ebd908db60ca2e54a01d87a8b09c208557f  crc_vfkit_4.12.0_amd64.crcbundle
59ec291480daf9e0a92978473b573f06fbb38ff5e1839ee7029aa77d2abea93a  crc_vfkit_4.12.0_arm64.crcbundle`
        // content of sig.asc.txt
        sig := `-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUAY+4xjBmeL5H9Qx1RAQjKNw//S21soD5oPMiP6c+KUq53x6MsrtrYrBEm
45hHCSWdcijb4BmBiVXxrFq79ja4Q2RYJBTH0CdAiBF97GFfs4SUfAF4G8q2LJOB
qL1YwerR8ourBWo4fumJI3BmfAdNpm8io+W6alG5HYu8G6vyybOAWbLh0gKHKk0K
OOgyhxaTerGZ7XFzPOZL4efnMyKM0Ib82HKn2/Roi+bZj4pUJajhGrc8+Erxkiqd
rfUXyvsz+uCTU4BjBSAd1Da5RxXhcnvxX7Au/X73QSlWz66XGhlEiNHhgV0Vo/mh
mwdus2a2C+621F/dXnzLZBVCzMnb4kpWfaSHVl98sJUwGbs9Ca/5KbXjclC33Oj9
jncDaNzupgsc1voKWNjSsTYciXU6hwHn7UH/r4ZVcVoMQFAZ556myh83DNQiVL5U
njXacraP/QuL3UKTiJZFIHCKFCcM0Vib7kjESSmRzjf7ulZRHQbjGaOT97MNLNbA
3PlYG3FVswsKKCMeEQ447rHzBCTAzYClSaSh3YcBUFj1AqaLPAu2Bi3IbRmxaphs
NqUllRTN5lot/ER5eqcqWXhe+hfh8cCwo9ZSr2cnspQnSQWP+tB1FyxWeA0NvB/V
xMYXeJ6mUAR4wY3Ewf/OFPDbJzMpWIXmhe+Uj3uyVogAEd090XnJciZvTrxBdQrh
86iMeTHruu8=
=WfZk
-----END PGP SIGNATURE-----`
    // content of pubkey.txt
        pubkey := `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
=zbHE
-----END PGP PUBLIC KEY BLOCK-----`

        if err := verifyDetachedWithPubkey(msg, sig, pubkey); err != nil {
                log.Fatal(err)
        }
}

o/p of running the above code:

❯ go run main.go
2023/02/17 15:17:44 failed to check signature: openpgp: signature made by unknown entity
exit status 1

Following is o/p from `gpg` which is successfully able to verify the detached signature

❯ gpg --import pubkey.txt
gpg: key 199E2F91FD431D51: public key "Red Hat, Inc. (release key 2) <security@redhat.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

❯ gpg --list-keys
/tmp/tmp-gpg-home-dir/pubring.kbx
---------------------------------
pub   rsa4096 2009-10-22 [SC]
      567E347AD0044ADE55BA8A5F199E2F91FD431D51
uid           [ unknown] Red Hat, Inc. (release key 2) <security@redhat.com>

❯ gpg --verify msg.asc msg.txt
gpg: Signature made Thu Feb 16 19:07:16 2023 IST
gpg:                using RSA key 199E2F91FD431D51
gpg: Good signature from "Red Hat, Inc. (release key 2) <security@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51

sig.asc.txt msg.txt pubkey.txt

twiss commented 1 year ago

Hey :wave: This is a v3 signature, which we don't support anymore. Probably the error message could be improved here, basically it just means it couldn't find a (parseable) signature signed by one of the passed keys.

anjannath commented 1 year ago

@twiss hey, thanks for the quick reply, having an explicit mention about the unsupported signature version in the error message will surely be helpful.

Is there any way to handle/migrate a v3 signature to a v4 signature, without having access to the priv key?

wussler commented 1 year ago

No, there is no transformation possible from v3 to v4 signatures

anjannath commented 1 year ago

Thanks for responses, will have to find another way!

ProtonMail / go-crypto