security issue with signing files
Sat Nov 24 20:38:01 2001
David Shaw <firstname.lastname@example.org> writes:
> All that said, a possible solution to your problem is to make a local
> copy of the file to be signed in a place that only you can write to,
> and verify that local copy is the one you want to sign before signing
> it. Is that perfectly secure? No. It just changes the threat
> model. Only you can decide if it changes it enough to make your
> application safe enough.
> Another way to approach the problem is a program that reads the file
> into memory, shows it to you for approval, then pipes it directly from
> memory to GnuPG for signing. This has the advantage of raising the
> bar fairly high for an attacker - it is harder (but again, not
> impossible) to modify the memory of a running process.
I don't think both scenarios (local copy vs. in-memory copy) make much
of a difference. If an attacker is able to fiddle with my files, in
almost all but a few constructed cases, he can also take over my
account, grab the secret key, and eavesdrop the passphrase.