Inocrrect(?) verification exit code for revoked certificates
Joanna Rutkowska
joanna at invisiblethingslab.com
Fri Feb 24 15:27:17 CET 2012
Hello,
I've just discovered that gnupg --verify will happily return 0 exit code
for signature created with a REVOKED signature.
E.g. I have imported the old kernel.org key revocation certificate, and
it's clear that gpg realizes the signing key was revoked, but still
returns 0:
[user at qubes kernel]$ gpg --verify linux-2.6.38.3.tar.bz2.sign
gpg: Signature made Thu Apr 14 22:42:05 2011 CEST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key
<ftpadmin at kernel.org>"
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: Key was used to autosigning; autosigning server
was compromised.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C75D C40A 11D7 AF88 9981 ED5B C86B A06A 517D 0F0E
[user at qubes kernel]$ echo $?
0
Wile it seems to me that an error exit code should returned in this
case. After all a "good" signature made with a compromised key, should
not be considered as "good"...
This is especially important for build scripts that make use of gpg in
order to verify downloaded tarballs.
A similar issue is when we one tries to verify the signature using
untrusted key -- shouldn't gpg return an error exit code in this case as
well?
Perhaps a special options might be introduced, such as
'--fail-when-revoked-key', and '--fail-when-untrusted-key' that would
add such behavior?
joanna.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120224/b19d976b/attachment.pgp>
More information about the Gnupg-devel
mailing list