Add support for validating signatures from PGP subkeys #2874

drGrove · 2025-06-22T08:45:51Z

This change should update the gpgme and openpgp implmenetations to support validating signatures made by signing subkeys. It will close an open issue that was referenced specifically in podman, but should resolve this across a number of tools that use this library.

This change should update the gpgme and openpgp implmenetations to support validating signatures made by signing subkeys. It will close an open issue that was referenced specifically in [podman](containers/podman#16406), but should resolve this across a number of tools that use this library. Signed-off-by: Danny Grove <danny@dannygrove.com>

mtrmac

Thanks!

containers/podman#16406 contains a long discussion about expired (or revoked) keys, IIRC it’s fairly unclear what is the right thing to do for long-term artifacts like software, and with no trusted timestamps.

Adding what, 150? new lines of code to the security critical signing code path is also a bit unattractive (although that’s, by itself, not at all a reason not to do the right thing).

There’s also a bit of awkward timing in that #2569 will probably replace the default / recommended verification implementation.

OTOH, these design concerns are, right now, also a topic there: #2569 (comment) .

drGrove · 2025-06-23T16:15:24Z

There’s also a bit of awkward timing in that #2569 will probably replace the default / recommended verification implementation.

I noticed this as I was finishing out the implementation but based on my understanding of the comments. It appears the GPGPME/Go OpenPGP will still exist, it just won't be the hot path. As the sequoia OpenPGP implementation has also been something that's still being worked though, having any support for subkeys IMO is ideal.

containers/podman#16406 contains a long discussion about expired (or revoked) keys, IIRC it’s fairly unclear what is the right thing to do for long-term artifacts like software, and with no trusted timestamps.

To my understanding, once a key is revoked or expired the signature is no longer valid. Regardless of when it was signed. This default to close IMO is a feature. Revocations are packets within the key just like anything else and generally the systems/users doing validation of OpenPGP signatures understand the implications of this. If a key is revoked and pushed to a keyserver, the user/machine has to pull down the updated packets for it to take effect within the verification pipeline. If you are aware that a revocation has been published but you still need to use a previously signed image it would probably be more ideal for you to mirror the image and sign it yourself than the much less secure option of not importing the updated key. This same problem exists is most signing schemes (key rotation).

drGrove force-pushed the drgrove/fix-pgp-subkey-verification branch from 77893fc to f79e1b8 Compare June 22, 2025 22:38

mtrmac reviewed Jun 23, 2025

View reviewed changes

mtrmac mentioned this pull request Jun 23, 2025

signature: add OpenPGP signing mechanism based on Sequoia #2569

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add support for validating signatures from PGP subkeys #2874

Add support for validating signatures from PGP subkeys #2874

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Add support for validating signatures from PGP subkeys #2874

Are you sure you want to change the base?

Add support for validating signatures from PGP subkeys #2874

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!