auto sign files
linux at codehelp.co.uk
Sun Jan 16 12:01:01 CET 2005
On Sunday 16 January 2005 5:11 am, Mark Ivs wrote:
> I have the following line in my perl script that signs
> and encrypt files.
Signing is a personal act, that's why it requires a passphrase. If you want to
sign automatically, use a non-personal key that doesn't have ANY passphrase
set. You cannot trust any machine to sign FOR you, recording the passphrase
in any form of script is simply insecure. There is no difference between
using a passphrase in clear text in the script and using no passphrase at
all! You wouldn't consider a key without a passphrase as secure - why do you
think storing the passphrase in clear text is going to be OK?
(Or do you keep your current passphrase on a post-it note on your monitor for
everyone to read?)
You said nothing all through this about automating this process - you've
talked only of signing files manually. It's a completely different issue.
1. You cannot sign a personal signature automatically (because you have to be
2. Any machine operated signature isn't worth verifying because the script
will sign anything it's told to sign.
A signature made by a script doesn't verify anything - it just means that the
script is functioning. Anyone with authorised or unauthorised access to the
machine can sign the files - no matter what they contain.
You're not even doing this on a secure system, it's Windows! You have no idea
if that box is already compromised. There could be someone with a trojan
already available who could put their own files on that box and the script
would sign the files!!! You'd be sending your customer a signed and encrypted
TROJAN! Best of all, the attacker would have absolute anonymity because he'd
be putting files on YOUR machine and using YOUR key!
Explain to your 'customer' - the choices are:
1. Files are only encrypted, not signed at all.
2. Files are signed with a machine-only worthless signature.
3. Files are only released when you are awake.
Any other option is untenable and explain why. Don't accept a customer who
would be happy with the attack described above - s/he will quickly blame you
if it happens and their machines get attacked via your poor signature
process. If there's money involved, it's imperative that you do not open
yourself to this risk - by not signing any files automatically - or s/he will
have every reason to sue you for negligence. Do you have that kind of money?
A signature made by a machine cannot be trusted because the key cannot be
trusted - the machine will sign everything that is thrown at it.
We've had this discussion before about the GD - people's trust models vary but
If you can't sign the file personally, don't sign the file at all.
How often are these files changing? What on earth are you actually doing?
> The problem is I need to run my perl script as a batch
> file through Windows NT scheduled task,
Why not make it easier for an attacker to find the passphrase by putting the
passphrase and the secret key on your home page? This is NOT a secure way of
using a key!
> which is
> scheduled to run few times a day.
Then change the schedule. I do this every day - I let the script do everything
up to the point where a signature is required for the final file. Then it
waits and only proceeds if the signature file can be found and verified.
Verifying a signature doesn't require the passphrase, just the public key.
You can be notified or reminded by email, even SMS if you configure it (and
pay for it IIRC).
> That means I cannot
> manually type the passphrase everytime. So, I was
> wondering if there is a way to enter the passphrase in
> the above gpg command itself. Or is there any other
> solution to this problem?
> I believe others must have
> ran into this issue before, since it looks like a
> common problem.
Only for those who don't have a clear understanding of security and the
reasons for signing files.
Decide clearly whether you want to sign these files :
1. as a person - in which case YOU need to be there. OR
2. as a script - in which case use a separate key and advise your customer
that the signature is worse than useless should your machine be compromised.
Naturally, you would assure your customer you would make every effort to
prevent such an attack but that you cannot guarantee that the machine has NOT
been attacked when the automated signature is made (because you won't be
logged in at the time to check).
The customer MUST be clear that this would be a MACHINE signature and it has
NO correlation with you as an individual - or any other individual. You
cannot be held personally responsible for the content of the signed files.
(So what's the point?)
If they are willing to accept that, they have only themselves to blame. To me,
such signatures are worse than useless.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050116/c8d4ac09/attachment.pgp
More information about the Gnupg-users