How to sign the name of the name as well, not just the file?

Patrick Schleizer patrick-mailinglists at whonix.org
Mon Jan 12 21:46:25 CET 2015 

Added Hauke, because he seems interested in OpenPGP notations [1] that I
will talk about below.

Robert J. Hansen:
>> Is there a way to make gnupg sign the name of the file as well? So
>> verification would fail if file names were renamed?
> 
> Drop version 1.7 of your 'foo' program into a directory called
> 'foo-1.7'.  Now:
> 
> tar cf foo-1.7 foo-1.7.tar && gpg --sign foo-1.7.tar
> 
> Congratulations.  Even if someone changes "foo-1.7.tar.xz" to
> "foo-1.6.tar.xz", you can trivially look inside the archive and see it's
> foo-1.7.  The contents are signed and you have some way of being able to
> verify the file version hasn't been tampered with by comparing the
> version number inside the signed tarfile with the version number on the
> tarfile.

Hm. That's one way. Thanks for taking time answering me. Respectfully, I
must say, sounds still non-ideal. Doesn't get me too excited.

Software shipped by the project I am working on are ova files. Virtual
Box image files. Which are already compressed. Packing them into just
another tar archive would only add up build time and complicate steps a
user has to do. That is, unpack, figure out that there is no some
seemingly useless sub folder. And the naming of that sub folder could
still be overlooked.

>> I know, one could create a sha512sum (or so) file that contains the
>> hash and the name of the file, then gpg sign that file. But I find
>> that method more complex, complicated, cumbersome. Is there any
>> easier and/or gpg built in way?
> 
> What you're talking about is called 'signing a manifest' and it's pretty
> much the only game in town.  That technique is in use in a lot of
> different places and it's a standard tool.  Done right, it's simple and
> easy -- I use a Python script to do this task automagically.

You mean as in creating something like a software updater system?

-----

What about OpenPGP notations?

gpg --armor --set-notation file at name="x" --detach-sign x

gpg --armor --verify-options show-notations --verify x.asc

That would be secure? Given that, users are available of notations and
use the unpopular "--verify-options show-notations". Probably few would
know. But perhaps we can train at least a few users to check.

Any suggestion for a better OpenPGP notation name than 'file at name="..."'?

Couldn't that be turned into a good feature request for gnupg?

1) To have a standardized OpenPGP notation that includes the file name.

2) When another "check file name" OpenPGP notation is set, let gpg say
"bad signature" if the file name has been tampered with?

Cheers,
Patrick

[1] http://www.openpgp-notations.org/

More information about the Gnupg-users mailing list