NB: yesterday I discovered a flaw in pomade which allows a malicious client (with an authenticated/trusted session) to exfiltrate private key material due to nonce re-use.
In practice, because clients are already trusted and frequently hold keys anyway, I don't think anyone is affected in practice (the only integration I'm aware of, Flotilla, doesn't execute this attack). However, if you run a pomade signer, please update ASAP.
A two-stage upgrade process is available if you are running in production and have active clients:
1. Upgrade your signers to 0.2.6, which are backwards compatible with the vulnerable signing method.
2. Upgrade your clients to 0.3.0, which swaps out the sign method to a RFC-compatible nonce exchange + psig exchange.
3. Upgrade your signers to 0.3.0, which removes the vulnerable signing method.
In practice, because clients are already trusted and frequently hold keys anyway, I don't think anyone is affected in practice (the only integration I'm aware of, Flotilla, doesn't execute this attack). However, if you run a pomade signer, please update ASAP.
A two-stage upgrade process is available if you are running in production and have active clients:
1. Upgrade your signers to 0.2.6, which are backwards compatible with the vulnerable signing method.
2. Upgrade your clients to 0.3.0, which swaps out the sign method to a RFC-compatible nonce exchange + psig exchange.
3. Upgrade your signers to 0.3.0, which removes the vulnerable signing method.
22❤️7👀2
