Mailing List Archive

Storing custom signed data in the key
Hey Gnupg users,

what would be the most "canonical" way to store arbitrary, signed data
along the gpg key? And then: what is the programmatic way of extracting
said data?

My specific usecase is putting a signify [1] public key inside my GPG
key, so that I can leverage key distribution to push my signify key.
After some digging, I was able to add a "notation" to one of my UIDs,
using "edit-key" + "notation", and now I have a signed notation inside
a self-sig. See:

$ gpg --no-options --list-options show-notation --check-sigs KEYID | grep pub@signify
Signature notation: pub@signify=SIGNIFYKEY

This extraction process seems dangerous to me, however, since an
attacker could add a dummy signature on my key with the same
notation. I can improve the above by interpreting the input more
thoroughly, since the notation follows the signature info:

sig!3 N KEYID 2019-08-17 User Example <user@example.com>
Signature notation: pub@signify=SIGNIFYKEY

By checking the signature verification status ("sig!") and KEYID I can
ensure that the notation is valid.

Does it make sense? Is it a good idea? What would be a better way?

Cheers,
Tomasz
Re: Storing custom signed data in the key [ In reply to ]
Hi Tomasz,

> what would be the most "canonical" way to store arbitrary, signed data
> along the gpg key? And then: what is the programmatic way of extracting
> said data?
> (...)
> sig!3 N KEYID 2019-08-17 User Example <user@example.com>
> Signature notation: pub@signify=SIGNIFYKEY
>
>
> Does it make sense? Is it a good idea? What would be a better way?

Yep, that definitely makes sense and notations are a good way to store
additional data. The only problem here is how to get the notation values
programmatically in a way that you know the self-signature is valid.

Sadly "gpg --list-options show-notations --with-colons --list-keys $KEY"
does not print the notation output.

I did use OpenPGP.js to verify signature and extract notations for a
small project of mine (https://metacode.biz/openpgp/proofs example here:
https://metacode.biz/@wiktor ) but I understand you want to keep the
dependencies to the minimum.

Maybe you could use GpgME, the docs look promising:

> The signature notations on a key signature are only available if the
key was retrieved via a listing operation with the
GPGME_KEYLIST_MODE_SIG_NOTATIONS mode enabled, because it can be
expensive to retrieve all signature notations.

Source:
https://www.gnupg.org/(es)/documentation/manuals/gpgme/Key-objects.html#Key-objects

One minor thing, you may want to adjust the notation name (key). RFC
4880 advises e-mail-like key where the domain is a name you control. So
for example "pub-signify@debian.org" if you control "debian.org".
Additionally it would be nice to have the e-mail redirect to a human in
case someone sends the message there.

Kind regards,
Wiktor
Re: Storing custom signed data in the key [ In reply to ]
Hi Tomasz--

On Sat 2019-08-17 18:45:24 +0200, Tomasz Buchert wrote:

> what would be the most "canonical" way to store arbitrary, signed data
> along the gpg key? And then: what is the programmatic way of extracting
> said data?
>
> My specific usecase is putting a signify [1] public key inside my GPG
> key, so that I can leverage key distribution to push my signify key.

As i understand it, signify uses ed25519 public keys.

For this specific use case, i'd recommend attaching your signify public
key as a signing-capable subkey directly to your OpenPGP
certificate. Or, if you don't want it to look like it's signing-capable
for the purposes of OpenPGP signing, you could attach it as a subkey
with an empty key flags subpacket.

If you want to include a notation that indicates that this key is for
use with signify specifically, you could then include a notation in the
subkey binding signature.

This seems like the most prinicipled way to include the key in your
OpenPGP certificate, and the best way to avoid having people get
confused about third-party certification claims, since third-parties
can't attach subkeys.

Doing this specifically would require some conversion capability between
the signify format and the OpenPGP format for Ed25519 keys. I haven't
tried to do that, but if it's something that you're interested in, i'd
be happy to look at it with you.

--dkg