Re: unsafe use of gpg
Hallo, 2012-12-15 um 17:12:54 schrieb Peter Samuelson: You're right, in gpgv, it appears you _can't_ suppress the default keyring, ~/.gnupg/trustedkeys.gpg. So either ensure that this file does not exist, or set HOME or GNUPGHOME or --homedir to a location where it will not exist. $ strace gpgv foo.sign 21 | grep ^open.*gpg open(/home/timo/.gnupg/trustedkeys.gpg, O_RDONLY) = 3 open(/home/timo/.gnupg/trustedkeys.gpg, O_RDONLY) = 5 $ strace gpgv --keyring pubring.gpg foo.sign 21 | grep ^open.*gpg open(/home/timo/.gnupg/pubring.gpg, O_RDONLY) = 3 open(/home/timo/.gnupg/pubring.gpg, O_RDONLY) = 5 open(/home/timo/.gnupg/pubring.gpg, O_RDONLY) = 6 That's exactly the behaviour described in the manpage: By default it uses a keyring named ‘trustedkeys.gpg’ which is assumed to be in the home directory as defined by GnuPG or set by an option or an environment variable. An option may be used to specify another keyring or even multiple keyrings. Grüße Timo signature.asc Description: This is a digitally signed message part.
Re: unsafe use of gpg
[Timo Juhani Lindfors] Peter Samuelson pe...@p12n.org writes: Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring. You probably read man gpg but gpgv is simpler: gpgv: Invalid option --no-default-keyring You're right, in gpgv, it appears you _can't_ suppress the default keyring, ~/.gnupg/trustedkeys.gpg. So either ensure that this file does not exist, or set HOME or GNUPGHOME or --homedir to a location where it will not exist. Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121215161254.go4...@p12n.org
unsafe use of gpg
Hi, I recently looked at several packages using gpg to verify signatures and found ways to circumvent the signature check, see [1] for a few bug reports demonstrating this. [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=gpg-clearsign;users=ans...@debian.org So far I have found two different problems: 1, Using cleartext signatures: Packages processing data using cleartext signatures (like used in .changes or .dsc in Debian) try to extract the signed data themselves and fail to do so properly. They can be tricked into extracting something different than gpg makes sure a valid signature exists for, usually by injecting whitespace or using invalid markers to mark the start or end of the pgp message. 2, Not asking gpg to verify signatures: I also found packages that call gpg in the form gpg $file and expect gpg to verify the signature on $file and output the signed data. Indeed it does so for *signed* files, but if you just give it unsigned data packed into an OpenPGP message, it will happily just extract that without caring about signatures. (One can generate those messages with 'gpg --store'.) Sadly gpg doesn't seem to provide a painless way to check for a valid signature and extracting the signed data[2]. Or did I miss something? [2] http://bugs.debian.org/695855 Ansgar -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50cb432f.1040...@debian.org
Re: unsafe use of gpg
Ansgar Burchardt ans...@debian.org writes: I recently looked at several packages using gpg to verify signatures Thanks for your work! Please try to raise this upstream so that they can provide proper interfaces. Is /usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig chmod a+x file ./file still a safe way to ensure that only code signed by a key in trusted.gpg gets executed? (Assuming of course that user can't modify the file between the check and execution.) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/844njoipms@sauna.l.org
Re: unsafe use of gpg
* Ansgar Burchardt ans...@debian.org [121214 16:18]: 2, Not asking gpg to verify signatures: I also found packages that call gpg in the form gpg $file and expect gpg to verify the signature on $file and output the signed data. Indeed it does so for *signed* files, but if you just give it unsigned data packed into an OpenPGP message, it will happily just extract that without caring about signatures. (One can generate those messages with 'gpg --store'.) Sadly gpg doesn't seem to provide a painless way to check for a valid signature and extracting the signed data[2]. Or did I miss something? Instead of inventing new ways for this, I'd suggest to instead ask the more important question: What worth is checking for a signature if you are not checking who is signing it? Better either use --status-fd or use some wrapper like libgpgme to retrieve what key actually signed it and check that information instead. (While just dump your own keyring somewhere and assume everything in there might sign anything and be trusted might look like an easy hack, it hardly scales and might be quite brittle assuming quite some default options to things like --auto-key-locate (and with any new options in that direction that might still be added to gpg). Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121214222149.ga19...@client.brlink.eu
Re: unsafe use of gpg
[Timo Juhani Lindfors] Is /usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig chmod a+x file ./file still a safe way to ensure that only code signed by a key in trusted.gpg gets executed? From the manpage: Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring. Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121214225649.gn4...@p12n.org
Re: unsafe use of gpg
Peter Samuelson pe...@p12n.org writes: Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring. You probably read man gpg but gpgv is simpler: gpgv: Invalid option --no-default-keyring -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/84zk1fhj8m@sauna.l.org