GnuPG Summer Riddle 2007 [SOLUTION]
Ingo Klöcker
kloecker at kde.org
Sat Jan 26 00:48:18 CET 2008
On Friday 25 January 2008, Sascha Wilde wrote:
> Ingo Klöcker <kloecker at kde.org> wrote:
> > On Thursday 24 January 2008, Sascha Wilde wrote:
> >> Bernhard Reiter <bernhard at intevation.de> wrote:
> >>
> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER
> >> WARNING
> >>
> >> SOLUTION
> >>
> >> SPOILER WARNING - SPOILER WARNING - SPOILER WARNING - SPOILER
> >> WARNING
> >
> > 0x01: Signature of a canonical text document.
> > Typically, this means the signer owns it, created it, or
> > certifies that it has not been modified. The signature is
> > calculated over the text data with its line endings
> > converted to <CR><LF> and trailing blanks removed.
> >
> > So it's not just line endings but also trailing blanks.
>
> True. So it seems that whitespace[0] programs are the ideal target
> for forged signatures of this kind...
Yeah, I had the same thought.
> > Nice. The attached files are my crude bash-based proof of concept.
>
> From your POC:
>
> appname=`basename "$0"`
> if [ "$appname" == "app4.sh" ]; then
>
> :-)
>
> Actually this was my very first thought when reading the riddle, too.
> But Bernhard told me that it is not the solution and that he would
> considers this a breach of "do not depend on external factors" (part
> of rule b) ).
>
> Maybe it should have been added to the description, that the two app
> files differ (have different md5sums).
In fact, I ran md5sum on the two files to check this. Also I renamed
app4.py to app5.py and vice versa to check the theory of an app name
dependant output. I have to admit that my PoC is pretty lame.
For the fun of it I've written a generator for python apps printing an
arbitrary string. All generated apps verify against the attached
signature file. And as a plus each generated app is again a generator,
i.e. the generator is self-replicating (albeit in the most simple way).
Example usage:
# python app-generator.py "Hi, I'm your app tonight." >app4-gen.py
# python app-generator.py 'Showing resistors is futile, you will be
policed!' >app5-gen.py
# python app4-gen.py
Hi, I'm your app tonight.
# python app5-gen.py
Showing resistors is futile, you will be policed!
# gpg2 --verify app-generator.py.sig app4-gen.py
gpg: Signature made Sat 26 Jan 2008 12:32:39 AM CET using DSA key ID
30E0B9D8
gpg: please do a --check-trustdb
gpg: Good signature from "Ingo Klöcker <kloecker at kde.org>"
gpg: aka "Ingo H. Klöcker <ingo.kloecker at web.de>"
gpg: aka "Ingo H. Klöcker
<ingo.kloecker at matha.rwth-aachen.de>"
# gpg2 --verify app-generator.py.sig app5-gen.py
gpg: Signature made Sat 26 Jan 2008 12:32:39 AM CET using DSA key ID
30E0B9D8
gpg: please do a --check-trustdb
gpg: Good signature from "Ingo Klöcker <kloecker at kde.org>"
gpg: aka "Ingo H. Klöcker <ingo.kloecker at web.de>"
gpg: aka "Ingo H. Klöcker
<ingo.kloecker at matha.rwth-aachen.de>"
Have fun!
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.py
Type: application/x-python
Size: 557 bytes
Desc: not available
URL: </pipermail/attachments/20080126/0c66dc23/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-generator.py.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: </pipermail/attachments/20080126/0c66dc23/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080126/0c66dc23/attachment.pgp>
More information about the Gnupg-users
mailing list