Security Concern: Unsigned Windows Executable
John at Mozilla-Enigmail.org
Tue Jun 2 12:26:01 CEST 2009
Doug Bateman wrote:
> I challenged myself to verify all software that I download on my new
> machine is verified and signed. Sadly, Win-GnuPG let me down. Heres why.
What's Win-GnuPG? Are you referring to the windows installer build of
GnuPG from http://www.gnupg.org/download/ as such? It's just GnuPG.
> Most software was distributed as a signed .exe file (using the Windows
> signed .EXE format). Some was not signed, but available via an https
> connection, allowing me to verify the originating source. And some,
> such as Gygwin, WinGnuPG, and sha1sum, required I already have GnuPG or
> sha1sum already installed to verify the .sig. Of course, this creates a
> bootstrapping problem for several reasons: 1) These .exe's aren't signed
> windows .exe's, 2) They aren't available via https (and thus can't
> ensure there isnt' a man-in-the middle), and 3) Even if I had sha1sum,
> I'd have to use http and not https to download the .sig file, allowing
> for the man-in-the-middle to deliver a checksum matching his hacked version.
> Using GnuPG to verify downloads does nothing, if I can't verify that
> GnuPG itself isn't valid.
I believe the Windows signed .EXE format is X.509 cert based and as such
isn't going to help much if the signing certificate doesn't chain back
to Windows set of root certs. COTS products will probably invest the
money to implement this, it's unlikely for F/OSS. It also assumes the
Microsoft technology to create Authenticode signatures is available to
Your MITM scenarios leave out the crucial step of your attacker also
needing to possess Werner Koch's signing key. The .SIG is not just a
checksum, it is a digital signature. The verification looks like this:
$ gpg -v gnupg-w32cli-1.4.9.exe.sig
gpg: assuming signed data in `gnupg-w32cli-1.4.9.exe'
gpg: Signature made 03/26/08 12:51:54 using RSA key ID 1CE0C630
gpg: using PGP trust model
gpg: Good signature from "Werner Koch (dist sig) <dd9jn at gnu.org>"
gpg: binary signature, digest algorithm SHA1
Your #3 comment is confusing. There is no .SIG to download if verifying
with sha1sum. You run sha1sum against the file you wish to verify and
compare the program output with the published value.
Are you proposing some MITM attack of a replaced installer executable
with an /identical/ SHA-1 value?
sha1sum and md5sum are widely available as source. If you're so
committed to this verified and signed thing that you're unwilling to
trust anything, you probably should look into building some things of
sha1sum is available as source and/or windows executable along with the
respective digital signatures from ftp://ftp.gnupg.org/gcrypt/binary/
Sooner or later you have to establish a base trust.
OH! Maybe you could use an eval version of PGP to verify the
cryptographic signature on the GnuPG installer. Of course that probably
hinges on its installer being a Windows signed-executable right? ;-)
Links discussed in this message:
SHA-1 checksum for Installer
> P.S. Please CC: me on the reply if possible.
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 678 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users