"gpg: Signature made <date time>" tamper resistant?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Mar 4 00:38:49 CET 2013
On 03/01/2013 01:47 PM, adrelanos wrote:
> is the gpg output "gpg: Signature made <date time>" tamper resistant?
>
> Or in other words, is the date and time taken from the signers machine
> clock and signed with the signers private key?
The signature time is signed with the signer's private key, so you can
verify the date/time that the signer intended to put there. There is no
way to verify the origin of the timestamp, though (that is, you can't
prove that it was taken from the machine clock). Even if LD_PRELOAD
hacks like faketime or datefudge didn't exist, a user with physical
control of the machine could just reset the clock to whatever they
wanted, make the signature, and then reset the clock again.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130303/591d18b4/attachment.pgp>
More information about the Gnupg-users
mailing list