On Wed, 29 May 2013, shawn wilson wrote:
This is sort of a trusting trust question. However, is there a way to have gpg verify it has not been altered? Maybe by compiling it with an internal key file and it asking for a password before decrypting itself and then presenting some type of verification. I'm asking whether something like this exists or is possible? Ie, how does malware do integrety checking / try to thwart people from running it if something is amiss? Can this type of thing be put into gpg?
If you run your (linux) kernel in FIPS mode, by passing fips=1 as kernel argument, some OSes such as RHEL or CentOS indeed do have .hmac files they check against the supported crypto libraries to see they have been tampered with. That currently covers libgcrypt, openssl nss and gnutls and the fips approved kernel algorithms. Fips mode also disables non-fips approved (eg blowfish) or weak (eg md5) algorithms. But it's a race. Any (root/admin) compromise on your OS and those checking functions can also be compromised. Paul _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
