How to sign the name of the name as well, not just the file?

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 12 20:14:36 CET 2015


> Is there a way to make gnupg sign the name of the file as well? So
> verification would fail if file names were renamed?

Drop version 1.7 of your 'foo' program into a directory called
'foo-1.7'.  Now:

tar cf foo-1.7 foo-1.7.tar && gpg --sign foo-1.7.tar

Congratulations.  Even if someone changes "foo-1.7.tar.xz" to
"foo-1.6.tar.xz", you can trivially look inside the archive and see it's
foo-1.7.  The contents are signed and you have some way of being able to
verify the file version hasn't been tampered with by comparing the
version number inside the signed tarfile with the version number on the
tarfile.

> I know, one could create a sha512sum (or so) file that contains the
> hash and the name of the file, then gpg sign that file. But I find
> that method more complex, complicated, cumbersome. Is there any
> easier and/or gpg built in way?

What you're talking about is called 'signing a manifest' and it's pretty
much the only game in town.  That technique is in use in a lot of
different places and it's a standard tool.  Done right, it's simple and
easy -- I use a Python script to do this task automagically.



More information about the Gnupg-users mailing list