security issue with signing files

David Shaw
Sat Nov 24 18:39:02 2001

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 24, 2001 at 11:42:24PM +0800, Kent Tong wrote:
> Dear all,
> Suppose a user is about to sign a file that he has just viewed, but someo=
> else modifies the files over the network, then he will sign over the
> arbitrary
> contents written by anyone who has write access? How to solve this
> problem? This is a common case when the superior is reviewing and signing
> a document (in a shared project folder) created by a subordinate.

This sort of race condition is a general difficulty in many
security-related applications.

GnuPG, quite properly, is going to sign whatever it reads, so the
trick is to guarantee that you give it only what you want it to sign.
There is no one perfect solution for this - you need to look at your
own situation and make sure that any proposed solution addresses that

All that said, a possible solution to your problem is to make a local
copy of the file to be signed in a place that only you can write to,
and verify that local copy is the one you want to sign before signing
it.  Is that perfectly secure?  No.  It just changes the threat
model.  Only you can decide if it changes it enough to make your
application safe enough.

Another way to approach the problem is a program that reads the file
into memory, shows it to you for approval, then pipes it directly from
memory to GnuPG for signing.  This has the advantage of raising the
bar fairly high for an attacker - it is harder (but again, not
impossible) to modify the memory of a running process.

On the brighter side, if you have an attacker that can modify the
memory of a running process or replace files on media that "only you"
can write to, you have other things to worry about :)


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6b (GNU/Linux)