auto sign files

Neil Williams linux at codehelp.co.uk
Sun Jan 16 12:01:01 CET 2005 

On Sunday 16 January 2005 5:11 am, Mark Ivs wrote:
> Hello,
> I have the following line in my perl script that signs
> and encrypt files.

Signing is a personal act, that's why it requires a passphrase. If you want to 
sign automatically, use a non-personal key that doesn't have ANY passphrase 
set. You cannot trust any machine to sign FOR you, recording the passphrase 
in any form of script is simply insecure. There is no difference between 
using a passphrase in clear text in the script and using no passphrase at 
all! You wouldn't consider a key without a passphrase as secure - why do you 
think storing the passphrase in clear text is going to be OK?

(Or do you keep your current passphrase on a post-it note on your monitor for 
everyone to read?)
:-)

You said nothing all through this about automating this process - you've 
talked only of signing files manually. It's a completely different issue.

1. You cannot sign a personal signature automatically (because you have to be 
there).
2. Any machine operated signature isn't worth verifying because the script 
will sign anything it's told to sign.

A signature made by a script doesn't verify anything - it just means that the 
script is functioning. Anyone with authorised or unauthorised access to the 
machine can sign the files - no matter what they contain.

You're not even doing this on a secure system, it's Windows! You have no idea 
if that box is already compromised. There could be someone with a trojan 
already available who could put their own files on that box and the script 
would sign the files!!! You'd be sending your customer a signed and encrypted 
TROJAN! Best of all, the attacker would have absolute anonymity because he'd 
be putting files on YOUR machine and using YOUR key!

Explain to your 'customer' - the choices are:
1. Files are only encrypted, not signed at all.
2. Files are signed with a machine-only worthless signature.
3. Files are only released when you are awake.

Any other option is untenable and explain why. Don't accept a customer who 
would be happy with the attack described above - s/he will quickly blame you 
if it happens and their machines get attacked via your poor signature 
process. If there's money involved, it's imperative that you do not open 
yourself to this risk - by not signing any files automatically - or s/he will 
have every reason to sue you for negligence. Do you have that kind of money?

A signature made by a machine cannot be trusted because the key cannot be 
trusted - the machine will sign everything that is thrown at it.

We've had this discussion before about the GD - people's trust models vary but 
that's mine.

If you can't sign the file personally, don't sign the file at all.

How often are these files changing? What on earth are you actually doing?

> The problem is I need to run my perl script as a batch
> file through Windows NT scheduled task,

Why not make it easier for an attacker to find the passphrase by putting the 
passphrase and the secret key on your home page? This is NOT a secure way of 
using a key!

> which is 
> scheduled to run few times a day.

Then change the schedule. I do this every day - I let the script do everything 
up to the point where a signature is required for the final file. Then it 
waits and only proceeds if the signature file can be found and verified.

Verifying a signature doesn't require the passphrase, just the public key.

You can be notified or reminded by email, even SMS if you configure it (and 
pay for it IIRC).

> That means I cannot 
> manually type the passphrase everytime. So, I was
> wondering if there is a way to enter the passphrase in
> the above gpg command itself. Or is there any other
> solution to this problem?

Not securely.

> I believe others must have 
> ran into this issue before, since it looks like a
> common problem.

Only for those who don't have a clear understanding of security and the 
reasons for signing files.

Decide clearly whether you want to sign these files :

1. as a person - in which case YOU need to be there. OR
2. as a script - in which case use a separate key and advise your customer 
that the signature is worse than useless should your machine be compromised. 

Naturally, you would assure your customer you would make every effort to 
prevent such an attack but that you cannot guarantee that the machine has NOT 
been attacked when the automated signature is made (because you won't be 
logged in at the time to check).

The customer MUST be clear that this would be a MACHINE signature and it has 
NO correlation with you as an individual - or any other individual. You 
cannot be held personally responsible for the content of the signed files. 
(So what's the point?)

If they are willing to accept that, they have only themselves to blame. To me, 
such signatures are worse than useless.

-- 

Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050116/c8d4ac09/attachment.pgp

More information about the Gnupg-users mailing list