Bug #57136 for GnuPG-Interface: GnuPG::Signature contains no information about cryptographic validity of the signature [PATCH] [SECURITY]

Package: libgnupg-interface-perl Tags: security patch One of the primary reasons one might want to use GnuPG::Interface is to examine the cryptographically-valid OpenPGP certifications that bind User IDs and subkeys to primary keys. However, GnuPG::Signature has no information about whether a given signature is in fact cryptographically valid. Given that it is trivial to create invalid OpenPGP signatures "from" any key you like and inject them into keyservers (and from there into local keyrings), this seems like a potential security vulnerability in any application which uses GnuPG::Interface to examine a list of OpenPGP certifications. Attached is a patch which adds new functionality to GnuPG::Signature to report whether a signature has been computed by GnuPG to be cryptographically valid or not. Given that no existing code which relies on GnuPG::Signature currently uses this functionality, it may be safer to go even further: another possible patch on top of this would be to only store valid signatures in the signatures() arrayref of the GnuPG::UserID and GnuPG::SubKey classes. (perhaps an "invalid_signatures" arrayref could be added to these classes if users for some reason wanted access to this kind of questionable material). This patch applies after the recent series of patches i've submitted. --dkg PS i can create and publish an invalid certification from any key to any key if it would be a useful demonstration. Please let me know if that is desired as proof of the security concerns around this bug report.