[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4
On Fri, Feb 27, 2015, at 02:24 PM, Nicolas Vigier wrote:
> On Fri, 27 Feb 2015, andre76@xxxxxxxxxxx wrote:
>
> >
> >
> > On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> > > andre76@xxxxxxxxxxx wrote:
> > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> > >
> > > Note that calling gpg --verify with a detached signature as its only
> > > argument is insecure (later versions of GnuPG should emit a warning).
> > > See my message to Gnupg-users and subsequent responses for details:
> > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> > >
> >
> > I could read those responses until the end of time and wouldn't
> > understand anything.
> >
> > Could you tell me what I'm supposed to enter in Terminal to get a
> > response that indicates a good file or a bad file?
> >
> > Here's what I entered (2 separate ways);
> >
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> > tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> >
> > gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> > F65C2036
> > gpg: BAD signature from "Tor Browser Developers (signing key)
> > <torbrowser@xxxxxxxxxxxxxx>"
> >
> >
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> > tor-browser-linux32-4.0.4_en-US.tar.xz
>
> The good one is the second one: giving the signature file as first
> argument, and the file to be checked as second argument.
>
> The problem with giving only one argument is that if the .asc file
> contains some text with an in-line signature (rather than what people
> would expected: a detached signature for the .tar.xz file), then gpg
> will only verify this inline signature and ignore the .tar.xz file.
> And the output only tells you that there is a good signature, so you
> can't see that the .tar.xz file was not checked.
>
> Example:
>
> $ echo 'some text' > some_file.txt
> $ gpg --clearsign some_file.txt
> $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc
>
> Now the gpg command tells us the signature is good, although it has
> nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz:
>
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET
> gpg: using RSA key 2067001B1B678A63
> gpg: Good signature from "Nicolas Vigier (boklm)
> <boklm@xxxxxxxxxxxxxxxx>"
> gpg: aka "Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxx>"
>
> But with 2 arguments it tells us something is wrong:
>
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> tor-browser-linux32-4.0.4_en-US.tar.xz
> gpg: not a detached signature
When run in Terminal this is what happens;
$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: BAD signature from "Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>"
I have no idea what all of this means but when I see something that says
"BAD signature" that tells me something is wrong.
Is the tar.xz file bad and suspect?
What must be done to fix this?
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> Email had 1 attachment:
> + Attachment1.2
> 1k (application/pgp-signature)
--
http://www.fastmail.com - Send your email first class
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk