GnuPG CVE-2018-12020 Signature Spoof bug


We are pleased to announce the availability of a new GnuPG release: version 2.2.8. This version fixes a critical security bug and comes with some other minor changes.



All current GnuPG versions are affected on all platforms.

All mail clients and other applications which make use of GPG but are not utilizing the GPGME library might be affected.

GnuPG Team


a critical security bug was found in GnuPG and fortunatly fixed

Does it affect me?

If you use PGP in email encryption , or you use any known linux distribution.. yes


  • Email Encryption

The bug allows an attacker to fake (spoof) your friend’s signature and sends you messages as it was him/her

  • Linux distribution

The bug allows a MITM attacker who can access your traffic to spoof linux distribution developers PGP signature and change a package you’re downloading with a malicous package and fool your package manager verification procedure.

Also a malicious mirror can distribute malicious packages to users who have it on top of their mirrorlist.

How to fix this?!

  1. Check if you already have the fixed version gpg --version.
    You should see gpg (GnuPG) 2.2.8 on the top of the output (or a higher number).

  2. If you don’t have this version or a higher one, try updating your linux using your distribution package manager, and check the version again.
    when this post was written. GnuPG 2.2.8+ reached the repos of Arch Linux Stable and Manjaro testing and Debian Unstable (sid)

  3. If this also didn’t give you a 2.2.8+ version, you can try installing it manually
    binary packages are available in the following links:

feel free to contact me.

Blog Logo






Back to Overview