Gpg.fail

Original Article ↗ Hacker News Discussion ↗

Scope of the Vulnerabilities and Talk

  • Thread centers on the 39c3 “to sign or not to sign” talk and gpg.fail, which documents ~14 practical vulnerabilities, many in GnuPG, some in other tools (Sequoia, minisign, age).
  • Key themes: signature type confusion (cleartext vs detached), malleability leading to plaintext recovery, odd parsing behaviors (e.g., formfeed allowing unsigned data injection), and unsafe handling of ANSI escape sequences in terminal output.
  • Several commenters stress these are mostly local/interaction attacks, not “remote worm” style bugs, but still serious because PGP tools are expected to safely handle untrusted input.

GnuPG vs PGP vs Protocol Design

  • Strong criticism that PGP’s packet system and state machine are “fundamentally broken” and too complex, making such bugs almost inevitable.
  • Others argue the current OpenPGP standard itself isn’t the problem; gpg.fail mostly hits legacy parts and implementation bugs in GnuPG.
  • Debate whether the opening ISO verification attack affects Sequoia as well; some say yes, others say Sequoia’s behavior is less confusing.

Maintainer Responses and WONTFIX

  • Significant frustration that some GnuPG issues were marked WONTFIX, including attacks that allow plaintext exfiltration while only emitting a generic error.
  • A recent GnuPG blog post on cleartext signatures is seen as unsatisfying: if something has been “considered harmful” for decades, it should be deprecated and removed, not left in by policy.

Impact on Existing Workflows

  • Questions about whether git tag/commit signing, Linux distro package verification, and enterprise email encryption are at risk.
  • Consensus: most distro package-signing use is narrowly constrained and often layered on HTTPS, so not immediately in flames, but the ecosystem is brittle.
  • Some still use GPG heavily for backups, password stores, SSH keys, and smartcards, arguing the ecosystem and hardware support are hard to replace.

Alternatives and “Use the Right Tool”

  • Many recommend replacing PGP with task‑specific tools:
    • age for file encryption, minisign or SSH signatures for signing, Signal/WhatsApp for messaging, Sigstore/SLSA-like systems for software supply chain.
  • Pushback: PGP still dominates for Maven, Linux releases, and cross‑org email; migrating ecosystems and solving key distribution is non-trivial.

Key Distribution, Web of Trust, and Standards Schism

  • Broad agreement that the traditional web of trust and keyservers effectively failed; most modern use relies on pre-established or HTTPS-delivered keys.
  • Discussion of the OpenPGP schism: LibrePGP (GnuPG-aligned, minimalist) vs RFC 9580 (more changes). Some see both sides as heading toward an interoperability mess.

Licensing and Ecosystem Concerns

  • Separate thread worries that Rust-era rewrites default to MIT, enabling corporate “embrace, extend, extinguish,” unlike GPLv3-licensed GnuPG.
  • Others counter that users evidently prefer permissive-licensed replacements, and that forking remains possible even if corporations create proprietary variants.