diff options
| author | Werner Koch <[email protected]> | 2014-11-13 16:39:31 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-11-13 16:39:31 +0000 |
| commit | 69384568f66a48eff3968bb1714aa13925580e9f (patch) | |
| tree | fbb539760619692e2bc4069a15869889335edc3d /g10/mainproc.c | |
| parent | gpg: Fix a missing LF in debug output. (diff) | |
| download | gnupg-69384568f66a48eff3968bb1714aa13925580e9f.tar.gz gnupg-69384568f66a48eff3968bb1714aa13925580e9f.zip | |
gpg: Make the use of "--verify FILE" for detached sigs harder.
* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--
Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0. :-(
What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode. This should exhibit
problems in scripts which use this insecure practice. We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:
gpgv: Good signature from "Werner Koch (dist sig)"
gpgv: WARNING: not a detached signature; \
file 'gnupg-2.1.0.tar.bz2' was NOT verified!
We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.
Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'g10/mainproc.c')
| -rw-r--r-- | g10/mainproc.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/g10/mainproc.c b/g10/mainproc.c index bc186d3f9..b84607a7b 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2008,6 +2008,44 @@ check_sig_and_print (CTX c, kbnode_t node) *pkstrbuf?_(", key algorithm "):"", pkstrbuf); + if (!rc && !c->signed_data.used) + { + /* Signature is basically good but we test whether the + deprecated command + gpg --verify FILE.sig + was used instead of + gpg --verify FILE.sig FILE + to verify a detached signature. If we figure out that a + data file with a matching name exists, we print a warning. + + The problem is that the first form would also verify a + standard signature. This behavior could be used to + create a made up .sig file for a tarball by creating a + standard signature from a valid detached signature packet + (for example from a signed git tag). Then replace the + sig file on the FTP server along with a changed tarball. + Using the first form the verify command would correctly + verify the signature but don't even consider the tarball. */ + kbnode_t n; + char *dfile; + + dfile = get_matching_datafile (c->sigfilename); + if (dfile) + { + for (n = c->list; n; n = n->next) + if (n->pkt->pkttype != PKT_SIGNATURE) + break; + if (n) + { + /* Not only signature packets in the tree thus this + is not a detached signature. */ + log_info (_("WARNING: not a detached signature; " + "file '%s' was NOT verified!\n"), dfile); + } + xfree (dfile); + } + } + if (rc) g10_errors_seen = 1; if (opt.batch && rc) |