On Sat, Feb 28, 2015, at 06:23 PM, Simon Nicolussi wrote: > [email protected] wrote: > > I have no idea what all of this means but when I see something that says > > "BAD signature" that tells me something is wrong. > > Yes, the .asc file that Nicolas was talking about is the one an attacker > would distribute alongside a manipulated .tar.xz file. Your .asc file is > fine, so GnuPG sounds the alarm if someone messed with the archive. > > An attacker, however, could easily fool GnuPG with a file inline-signed > by the Tor Browser Developers. Using, e.g., sha256sums.incrementals.txt > and the respective detached signature sha256sums.incrementals.txt.asc > (both available at https://dist.torproject.org/torbrowser/4.0.4/), an > attacker first creates a signed file with an arbitrary key: > > $ gpg2 --digest-algo SHA1 --compress-algo uncompressed \ > > > --set-filename tor-browser-linux32-4.0.4_en-US.tar.xz \ > > > --output fake.asc --sign sha256sums.incrementals.txt > > The newly created signature packet gets thrown away: > > $ eval $(gpg2 --list-packets fake.asc | grep ^# | grep " tag=2 " \ > > > | grep -o " off=[[:digit:]]* ") > > $ dd if=fake.asc of=tor-browser-linux32-4.0.4_en-US.tar.xz.asc \ > > > bs=1 count=$off > > And the signature of the Tor Browser Developers takes its place: > > $ gpg2 --output - --dearmor sha256sums.incrementals.txt.asc \ > > >> tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > GnuPG now won't even take a look at the .tar.xz archive when called with > that .asc file as its only argument, but still reports a good signature. > I've attached the file for you to try it out. > > > What must be done to fix this? > > Specify both the detached signature and the archive you want to verify. > > -- > Simon Nicolussi <[email protected]> > http{s,}://{www.,}sinic.name/ > Email had 2 attachments: > + tor-browser-linux32-4.0.4_en-US.tar.xz.asc > 8k (text/plain) > + Attachment2 > 1k (application/pgp-signature)
Thanks for the help but I have no idea if the Tor files I have a good or bad. Here's the output from terminal; $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linux32-4.0.4_en-US.tar.xz gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID F65C2036 gpg: BAD signature from "Tor Browser Developers (signing key) <[email protected]>" Are these files good or bad and not to be trusted? If not to be trusted which aren't to be trusted? -- http://www.fastmail.com - Email service worth paying for. Try it for free -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
