GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
| Product | Vendor | Version |
|---|---|---|
| n/a | n/a | QCA6436 |