todsacerdotiGpg.fail
Zero-days from the CCC talk https://fahrplan.events.ccc.de/congress/2025/fahrplan/event/...
But trust in Werner Koch is gone. Wontfix??
[39c3] To sign or not to sign: Practical vulnerabilities in GPG & friends
Beyond the underlying mathematics of cryptographic algorithms, there is a whole other layer of implementation code, assigning meaning to the processed data. For example, a signature verification operation both needs robust cryptography **and** ass...
To be frank, at this point, GPG has been a lost cause for basically decades.
People who are serious about security use newer, better tools that replace GPG. But keep in mind, there’s no “one ring to rule them all”.
What are those better tools? I've been broadly looking into this space, but never ventured too deep.
Sequoia for example has been doing a great job and implements the latest version of the standard which brings a lot of cryptography up to date
I'm yet to finish watching the talk, but it starts with them confirming the demo fraudulent .iso with sequoia also (they call it out by name), so this really makes me think. :)
Sequioa hasn't fixed the attack from the beginning of the talk, the one where they convert between cleartext and full signature formats and inject unsigned bytes into the output because of the confusion.