Re: unsafe use of gpg
* Ansgar Burchardt <ansgar@debian.org> [121214 16:18]:
> 2, Not asking gpg to verify signatures:
>
> I also found packages that call gpg in the form "gpg $file" and expect
> gpg to verify the signature on $file and output the signed data. Indeed
> it does so for *signed* files, but if you just give it unsigned data
> packed into an OpenPGP message, it will happily just extract that
> without caring about signatures. (One can generate those messages with
> 'gpg --store'.)
>
> Sadly gpg doesn't seem to provide a painless way to check for a valid
> signature and extracting the signed data[2]. Or did I miss something?
Instead of inventing new ways for this, I'd suggest to instead ask
the more important question: What worth is checking for a signature
if you are not checking who is signing it?
Better either use --status-fd or use some wrapper like libgpgme to
retrieve what key actually signed it and check that information instead.
(While "just dump your own keyring somewhere and assume everything in
there might sign anything and be trusted" might look like an easy hack,
it hardly scales and might be quite brittle assuming quite some default
options to things like --auto-key-locate (and with any new options in
that direction that might still be added to gpg).
Bernhard R. Link
Reply to: