Seen there, they have an talk about finding some issues with gpg.
Do that have some impact on security of Qubes OS?
Especially the validation of the installation ISO and the verification of downloaded RPMs…
1 Like
In gpg.fail, they are taking a Qubes OS iso as an example…
Exploitation allows for appending additional data after a valid
BEGIN PGP SIGNED MESSAGEArmor Header Line and thereby potentially deceiving a GnuPG user about the actual signed data while preserving cryptographic integrity.
This issue is also documented here: RFC 9580: OpenPGP, on section 7.3. It seems to be a quite known/old vulnerability.
Thus they recommend to avoid using cleartext signatures, as in Cleartext Signatures Considered Harmful.
However: gpg.fail, detached signatures are also vulnerable due to a bad implementation 
, but they suggest a fix too.
4 Likes