BAD signatures for GnuPG Stable

stebe at mailbox.org stebe at mailbox.org
Thu Jan 28 14:15:03 CET 2016 

Hi,

> Aaron Tovo <aarontovo at gmail.com> hat am 28. Januar 2016 um 06:12
> geschrieben:
 
> I re-downloaded sig file and it still fails the gpg --verify test.
> 
> $ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12
> Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)"
> 
> Could this be some kind of man-in-the-middle attack? I don't recall
> having seen a signature fail like this before.
> 

If you are really interested in further invesigating it, it seems that
this might be useful for you. I haven't checked it yet, though.

(1) https://github.com/Whonix/gpg-bash-lib

Quote from (1)

Why

Writing bash scripts that do file verification using gpg that really is
secure and passes a comprehensive threat model, that covers indefinite
freeze, rollback, endless data attacks, etc. is hard.

gpg-bash-lib's goal is to provide a bash library that we can
collaboratively develop, audit and abstract the hard work into reuseable
functions.

Checking gpg exit codes only is insufficient. Quote Werner Koch (gnupg
lead developer):

    "there is no clear distinction between the codes and for proper error
reporting you are advised to use the --status-fd messages."


What does it do

    Abstracts file verification into common functions.
    Allows detecting of stale files, i.e. detection downgrade or
indefinite freeze attacks by implementing a valid-until like mechanism.
    Internally parses gpg's --status-file output.
    It is signal friendly.
    Detects endless data attacks, aborts and reports this.
    Detects indefinite freeze and rollback (downgrade) attacks and reports
this.
    Can help with verification of names of files, that are otherwise not
covered by default when using gpg.
    Provide diagnostic output (variables) that contain information if the
local clock is sane by comparing signature creation date with local clock.

[...]

Introduction

It is assumed, that your script downloaded a data file as well as a
signature file. A separate folder containing the keys that are supposed to
be used for gpg verification, such as for example
/usr/share/program-name/signing-keys.d is required as a prerequisite. You
can then use this library to do the gpg verification for you. 

Cheers, 

Stebe

More information about the Gnupg-users mailing list