SigSpoof

SigSpoof is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") for decades.^[1] Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail.^[2]^[1]

In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances.^[1]^[3]^[4]^[2]^[5] This potentially enables a wide range of subsidiary attacks to succeed.^[1]^[3]^[4]^[2]^[5]

According to Marcus Brinkmann, who discovered the SigSpoof vulnerabilities, their existence, and the fact that they were present in the wild for so long, throws into question the integrity of past emails, "backups, software updates, ... and source code in version control systems like Git."^[1]

References

^ ^a ^b ^c ^d ^e "Decades-old PGP bug allowed hackers to spoof just about anyone's signature".
^ ^a ^b ^c "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug".
^ ^a ^b "SigSpoof: Signaturen fälschen mit GnuPG - Golem.de".
^ ^a ^b Security, heise. "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Security.
^ ^a ^b "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". DER STANDARD.

This computing article is a stub. You can help Wikipedia by expanding it.

[ars-1] "Decades-old PGP bug allowed hackers to spoof just about anyone's signature".

[reg-2018-06-19-2] "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug".

[golem-3] "SigSpoof: Signaturen fälschen mit GnuPG - Golem.de".

[heise-4] Security, heise. "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Security.

[standard-5] "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". DER STANDARD.

[1]

[2]

[3]

[4]

[5]