sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

Jakob Bohm jb-gnumlists at wisemo.com
Tue Aug 6 15:25:28 CEST 2024


On 2024-08-06 13:28, andrewg wrote:
> On 2024-08-06 10:32, Jakob Bohm via Gnupg-users wrote:
>>
>> For issues such as the above, the proper script-friendly solution is to
>> enhance gpgv itself with command line options to specify the desired
>> trust requirements.  For the multi-signer scenario above, an option could
>> be set to
>>
>>     --must-match-percent 90 --ignore-unknown
> 
> I think using percentages rather than absolute values here would be 
> dangerous. If this is a percentage of the number of keys in the keyring, 
> it would make updating the membership of the keyring a potential DOS 
> event. If it is a percentage of the number of signatures on the message, 
> an attacker who compromises just one signing key could distribute a 
> package signed by just that key, and 100% of attached signatures would 
> verify.
> 
> A

Intent was percentage of provided signatures whose keys are in the local
pubring, thus verifiable.  Using a percentage without "--ignore-unknown"
would be a percentage of signatures, including any where the public key
isn't in the pubring.

A 3rd option could specify the minimum number of valid signatures no
matter how many are present.  For example:

     --min-ok-sigs 9

would make gpgv reject any file with less than 9 valid signatures, no
matter how many or few invalid signatures are present.  Because this is
an exact min number, it doesn't depend if unknown signatures are ignored
or counted as failures.

Passing these options to the full gpg command would count signatures as
valid only if trusted under the selected trust model, and would offer a
fourth option "--ignore-untrusted" which counts untrusted signers as not
there, thus applying the numeric minimums only to the number of trusted
signatures (includining trusted but invalid signatures).

gpgv trusts all known signatures, so has no use for ignoring untrusted
signatures.

Remember to also implement these options for gpgsm and gpgsmv

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the Gnupg-users mailing list