[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4

On Fri, 27 Feb 2015, andre76@xxxxxxxxxxx wrote:

> 
> 
> On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> > andre76@xxxxxxxxxxx wrote:
> > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc                
> > 
> > Note that calling gpg --verify with a detached signature as its only
> > argument is insecure (later versions of GnuPG should emit a warning).
> > See my message to Gnupg-users and subsequent responses for details:
> > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> > 
> 
> I could read those responses until the end of time and wouldn't
> understand anything.
> 
> Could you tell me what I'm supposed to enter in Terminal to get a
> response that indicates a good file or a bad file?
> 
> Here's what I entered (2 separate ways);
> 
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> 
> gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> F65C2036
> gpg: BAD signature from "Tor Browser Developers (signing key)
> <torbrowser@xxxxxxxxxxxxxx>"
> 
> 
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> tor-browser-linux32-4.0.4_en-US.tar.xz

The good one is the second one: giving the signature file as first
argument, and the file to be checked as second argument.

The problem with giving only one argument is that if the .asc file
contains some text with an in-line signature (rather than what people
would expected: a detached signature for the .tar.xz file), then gpg
will only verify this inline signature and ignore the .tar.xz file.
And the output only tells you that there is a good signature, so you
can't see that the .tar.xz file was not checked.

Example:

 $ echo 'some text' > some_file.txt
 $ gpg --clearsign some_file.txt
 $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc

Now the gpg command tells us the signature is good, although it has
nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz:

 $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
 gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET
 gpg:                using RSA key 2067001B1B678A63
 gpg: Good signature from "Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxxxx>"
 gpg:                 aka "Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxx>"

But with 2 arguments it tells us something is wrong:

 $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linux32-4.0.4_en-US.tar.xz
 gpg: not a detached signature

Attachment: pgpwZvufLDYf8.pgp
Description: PGP signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk