Detached signature ambiguity

Werner Koch wk at gnupg.org
Thu Nov 13 18:01:10 CET 2014 

On Fri,  7 Nov 2014 22:21, sinic at sinic.name said:

> I've attached an exemplary signature file (named gnupg-2.1.0.tar.bz2.sig
> for your convenience) that demonstrates the problem:

Thanks that was useful for testsing.  What I did is:

commit 69384568f66a48eff3968bb1714aa13925580e9f (HEAD, refs/heads/wk-master)
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Nov 13 17:39:31 2014 +0100

    gpg: Make the use of "--verify FILE" for detached sigs harder.
    
    * g10/openfile.c (open_sigfile): Factor some code out to ...
    (get_matching_datafile): new function.
    * g10/plaintext.c (hash_datafiles): Do not try to find matching file
    in batch mode.
    * g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
    matching data file is not used by a standard signatures.
    --
    
    Allowing to use the abbreviated form for detached signatures is a long
    standing bug which has only been noticed by the public with the
    release of 2.1.0.  :-(
    
    What we do is to remove the ability to check detached signature in
    --batch using the one file abbreviated mode.  This should exhibit
    problems in scripts which use this insecure practice.  We also print a
    warning if a matching data file exists but was not considered because
    the detached signature was actually a standard signature:
    
      gpgv: Good signature from "Werner Koch (dist sig)"
      gpgv: WARNING: not a detached signature; \
      file 'gnupg-2.1.0.tar.bz2' was NOT verified!
    
    We can only print a warning because it is possible that a standard
    signature is indeed to be verified but by coincidence a file with a
    matching name is stored alongside the standard signature.
    
    Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
    Signed-off-by: Werner Koch <wk at gnupg.org>

Now waiting which tools or scripts will break.  I checked a few
(including dpkg) and they do the Right Thing.

Shall this be ported to 2.0 and 1.4 and fixes released?  I guess yes.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list