PGPainless 1.4.5

CHANGELOG.md

@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+# 1.4.5
+- Bugfix: Direct-Key signatures are calculated over the signee key only, not the signer key + signee key
+- Security: Fix faulty bit-strength policy check for signing subkeys
+
 ## 1.4.4
 - Fix expectations on subpackets of v3 signatures (thanks @bjansen)
   - Properly verify v3 signatures, which do not yet have signature subpackets, yet we required them to have  

README.md

@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.4.4'
+	implementation 'org.pgpainless:pgpainless-core:1.4.5'
 }
 ```
 

pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java

@@ -379,7 +379,7 @@ public final class SigningOptions {
         SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID());
         PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID());
         PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(signingSecretKey.getPublicKey().getAlgorithm());
-        int bitStrength = secretKey.getPublicKey().getBitStrength();
+        int bitStrength = signingSecretKey.getPublicKey().getBitStrength();
         if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
             throw new KeyException.UnacceptableSigningKeyException(
                     new KeyException.PublicKeyAlgorithmPolicyException(

pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java

@@ -43,11 +43,7 @@ public class ThirdPartyDirectKeySignatureBuilder extends AbstractSignatureBuilde
 
     public PGPSignature build(PGPPublicKey key) throws PGPException {
         PGPSignatureGenerator signatureGenerator = buildAndInitSignatureGenerator();
-        if (key.getKeyID() != publicSigningKey.getKeyID()) {
+        return signatureGenerator.generateCertification(key);
-            return signatureGenerator.generateCertification(publicSigningKey, key);
-        } else {
-            return signatureGenerator.generateCertification(key);
-        }
     }
 
     @Override

pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java

@@ -539,10 +539,10 @@ public abstract class SignatureValidator {
                 try {
                     signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signer);
                     boolean valid;
-                    if (signer.getKeyID() != signee.getKeyID()) {
+                    if (signer.getKeyID() == signee.getKeyID() || signature.getSignatureType() == PGPSignature.DIRECT_KEY) {
-                        valid = signature.verifyCertification(signer, signee);
-                    } else {
                         valid = signature.verifyCertification(signee);
+                    } else {
+                        valid = signature.verifyCertification(signer, signee);
                     }
                     if (!valid) {
                         throw new SignatureValidationException("Signature is not correct.");

pgpainless-sop/README.md

@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.4.4"
+    implementation "org.pgpainless:pgpainless-sop:1.4.5"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     <dependency>
         <groupId>org.pgpainless</groupId>
         <artifactId>pgpainless-sop</artifactId>
-        <version>1.4.4</version>
+        <version>1.4.5</version>
     </dependency>
     ...
 </dependencies>

version.gradle

@@ -5,7 +5,7 @@
 allprojects {
     ext {
         shortVersion = '1.4.5'
-        isSnapshot = true
+        isSnapshot = false
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8
         bouncyCastleVersion = '1.72'