[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4
On Sat, Feb 28, 2015, at 06:23 PM, Simon Nicolussi wrote:
> andre76@xxxxxxxxxxx wrote:
> > I have no idea what all of this means but when I see something that says
> > "BAD signature" that tells me something is wrong.
> Yes, the .asc file that Nicolas was talking about is the one an attacker
> would distribute alongside a manipulated .tar.xz file. Your .asc file is
> fine, so GnuPG sounds the alarm if someone messed with the archive.
> An attacker, however, could easily fool GnuPG with a file inline-signed
> by the Tor Browser Developers. Using, e.g., sha256sums.incrementals.txt
> and the respective detached signature sha256sums.incrementals.txt.asc
> (both available at https://dist.torproject.org/torbrowser/4.0.4/), an
> attacker first creates a signed file with an arbitrary key:
> > $ gpg2 --digest-algo SHA1 --compress-algo uncompressed \
> > > --set-filename tor-browser-linux32-4.0.4_en-US.tar.xz \
> > > --output fake.asc --sign sha256sums.incrementals.txt
> The newly created signature packet gets thrown away:
> > $ eval $(gpg2 --list-packets fake.asc | grep ^# | grep " tag=2 " \
> > > | grep -o " off=[[:digit:]]* ")
> > $ dd if=fake.asc of=tor-browser-linux32-4.0.4_en-US.tar.xz.asc \
> > > bs=1 count=$off
> And the signature of the Tor Browser Developers takes its place:
> > $ gpg2 --output - --dearmor sha256sums.incrementals.txt.asc \
> > >> tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> GnuPG now won't even take a look at the .tar.xz archive when called with
> that .asc file as its only argument, but still reports a good signature.
> I've attached the file for you to try it out.
> > What must be done to fix this?
> Specify both the detached signature and the archive you want to verify.
> Simon Nicolussi <sinic@xxxxxxxxxx>
> Email had 2 attachments:
> + tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> 8k (text/plain)
> + Attachment2
> 1k (application/pgp-signature)
Thanks for the help but I have no idea if the Tor files I have a good or
Here's the output from terminal;
$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
gpg: BAD signature from "Tor Browser Developers (signing key)
Are these files good or bad and not to be trusted? If not to be trusted
which aren't to be trusted?
http://www.fastmail.com - Email service worth paying for. Try it for free
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to