Ian writes:

Of course, if someone can modify your private keyring, I'd suspect your TCB is toast. (Unless you're in the habit of shipping your private keyring around the Internet.)

For the interested, this is my guess at the attack.

Modify the encrypted value of p, somewhere near the middle. When decrypted, depending on the chaining mode, it's possible that only a couple of blocks of p will be mangled, and the remainder of the private key file will decrypt successfully. Here's where PGP fails to do a MAC to verify integrity of the data.

Then, it behaves just like DFA (Differential Fault Analysis). The idea is that to calculate a signature M^d mod n, we calculate M^d mod p and M^d mod q, and use the CRT to combine them to S = M^d mod n.

If p is wrong, the result S' will be correct mod q but incorrect mod p. so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p.

Therefore GCD(S' ^ e mod n, M) = q, and we're done.

Pretty good! Actually they modify what PGP calls "u", which is p^(-1) mod q, but get the same effect. PGP has a simple bytewise checksum to protect the data but it is not enough. Now can you figure out how to do it to DSS keys? Hint: you change the public, not secret, data this time.