Re: unsafe use of gpg

To: debian-devel@lists.debian.org
Subject: Re: unsafe use of gpg
From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
Date: Fri, 14 Dec 2012 18:07:23 +0200
Message-id: <[🔎] 844njoipms.fsf@sauna.l.org>
In-reply-to: <[🔎] 50CB432F.1040805@debian.org> (Ansgar Burchardt's message of "Fri, 14 Dec 2012 16:18:07 +0100")
References: <[🔎] 50CB432F.1040805@debian.org>

Ansgar Burchardt <ansgar@debian.org> writes:
> I recently looked at several packages using gpg to verify signatures

Thanks for your work! Please try to raise this upstream so that they can
provide proper interfaces.

Is

/usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig
chmod a+x file
./file

still a safe way to ensure that only code signed by a key in trusted.gpg
gets executed?  (Assuming of course that user can't modify the file
between the check and execution.)

Reply to:

Follow-Ups:
- Re: unsafe use of gpg
  - From: Peter Samuelson <peter@p12n.org>

References:
- unsafe use of gpg
  - From: Ansgar Burchardt <ansgar@debian.org>

Prev by Date: unsafe use of gpg
Next by Date: Bug#695946: ITP: libbot-basicbot-pluggable-perl -- extended simple IRC bot for pluggable modules
Previous by thread: unsafe use of gpg
Next by thread: Re: unsafe use of gpg
Index(es):
- Date
- Thread