Hi, I recently looked at several packages using gpg to verify signatures and found ways to circumvent the signature check, see [1] for a few bug reports demonstrating this.
[1] <http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=gpg-clearsign;users=ans...@debian.org> So far I have found two different problems: 1, Using cleartext signatures: Packages processing data using cleartext signatures (like used in .changes or .dsc in Debian) try to extract the signed data themselves and fail to do so properly. They can be tricked into extracting something different than gpg makes sure a valid signature exists for, usually by injecting whitespace or using invalid markers to mark the start or end of the pgp message. 2, Not asking gpg to verify signatures: I also found packages that call gpg in the form "gpg $file" and expect gpg to verify the signature on $file and output the signed data. Indeed it does so for *signed* files, but if you just give it unsigned data packed into an OpenPGP message, it will happily just extract that without caring about signatures. (One can generate those messages with 'gpg --store'.) Sadly gpg doesn't seem to provide a painless way to check for a valid signature and extracting the signed data[2]. Or did I miss something? [2] <http://bugs.debian.org/695855> Ansgar -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50cb432f.1040...@debian.org
