/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix detached signature verification #900

Closed
marmarek opened this Issue Mar 8, 2015 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 2.0 updates
1 participant
@marmarek
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by axon on 12 Sep 2014 08:53 UTC
The problem occurs with this command:

/home/user/.qubes_gpg.sh --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -

The error message is:

gpg: no signed data
gpg: can't hash datafile: file open error

It happens with enigmail is trying to verify GPG/MIME signed message.

Migrated-From: https://wiki.qubes-os.org/ticket/900

@marmarek marmarek added this to the Release 2.1 (post R2) milestone Mar 8, 2015

@marmarek marmarek added bug C: other P: major labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by axon on 11 Feb 2015 09:12 UTC

= Update with Details =

== Latest Software Versions Tested ==
qubes-gpg-split 2.0.7
thunderbird 31.4.0
thunderbird-enigmail 1.7.2

== Default Settings & Behavior ==
Enigmail > Preferences > Basic:

GnuPG was found in /bin/gpg
  1. Receive an email that is signed but '''not''' encrypted by a trusted key.
  2. Enigmail Console:
enigmail> /bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
enigmail> /bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys <key id>
  1. If automatic verification is enabled, Enigmail automatically displays a green bar, stating, "Good signature from [ (This is the desired behavior we want to preserve with qubes-gpg-split.)

== Qubes-gpg-split Settings & Behavior ==

Enigmail > Preferences > Basic:

GnuPG was found in /usr/bin/qubes-gpg-client-wrapper

(I.e., same as [https://qubes-os.org/raw-attachment/wiki/UserDoc/SplitGpg/tb-enigmail-split-gpg-settings-2.png this image](...]."

).)

  1. Receive an email that is signed but '''not''' encrypted by a trusted key.
  2. Enigmail Console:
enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
  1. There is no indication that the email is signed (no green bar; in fact, no bar at all). It looks exactly like a regular, unsigned email. The user is not notified (silent failure).
  2. Enigmail Debug Log:
[enigmailCommon.jsm: decryptMessageStart: verifyOnly=true
enigmailCommon.jsm: execStart: command = /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -, needPassphrase=false, domWindow=[object ChromeWindow](...]
[DEBUG]), listener=[Object](object)
[enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
[DEBUG](CONSOLE]) enigmailCommon.jsm: decryptMessageEnd: uiFlags=8, verifyOnly=true, noOutput=true
[enigmailCommon.jsm: decryptMessageEnd: stderrStr=
gpg: no signed data
gpg: can't hash datafile: file open error

[DEBUG](DEBUG]) enigmailCommon.jsm: parseErrorOutput: status message: 
gpg: no signed data
gpg: can't hash datafile: file open error

[enigmailCommon.jsm: parseErrorOutput: statusFlags = 00000000
[DEBUG](DEBUG]) enigmailCommon.jsm: decryptMessageEnd: command execution exit code: 2
[...]

== Notes ==
The above problem does not seem to occur when an email is both signed '''and''' encrypted (i.e., colored notification bar shows up when using qubes-gpg-split.)
Member

marmarek commented Mar 8, 2015

Comment by axon on 11 Feb 2015 09:12 UTC

= Update with Details =

== Latest Software Versions Tested ==
qubes-gpg-split 2.0.7
thunderbird 31.4.0
thunderbird-enigmail 1.7.2

== Default Settings & Behavior ==
Enigmail > Preferences > Basic:

GnuPG was found in /bin/gpg
  1. Receive an email that is signed but '''not''' encrypted by a trusted key.
  2. Enigmail Console:
enigmail> /bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
enigmail> /bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys <key id>
  1. If automatic verification is enabled, Enigmail automatically displays a green bar, stating, "Good signature from [ (This is the desired behavior we want to preserve with qubes-gpg-split.)

== Qubes-gpg-split Settings & Behavior ==

Enigmail > Preferences > Basic:

GnuPG was found in /usr/bin/qubes-gpg-client-wrapper

(I.e., same as [https://qubes-os.org/raw-attachment/wiki/UserDoc/SplitGpg/tb-enigmail-split-gpg-settings-2.png this image](...]."

).)

  1. Receive an email that is signed but '''not''' encrypted by a trusted key.
  2. Enigmail Console:
enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
  1. There is no indication that the email is signed (no green bar; in fact, no bar at all). It looks exactly like a regular, unsigned email. The user is not notified (silent failure).
  2. Enigmail Debug Log:
[enigmailCommon.jsm: decryptMessageStart: verifyOnly=true
enigmailCommon.jsm: execStart: command = /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -, needPassphrase=false, domWindow=[object ChromeWindow](...]
[DEBUG]), listener=[Object](object)
[enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --verify /tmp/data.sig -
[DEBUG](CONSOLE]) enigmailCommon.jsm: decryptMessageEnd: uiFlags=8, verifyOnly=true, noOutput=true
[enigmailCommon.jsm: decryptMessageEnd: stderrStr=
gpg: no signed data
gpg: can't hash datafile: file open error

[DEBUG](DEBUG]) enigmailCommon.jsm: parseErrorOutput: status message: 
gpg: no signed data
gpg: can't hash datafile: file open error

[enigmailCommon.jsm: parseErrorOutput: statusFlags = 00000000
[DEBUG](DEBUG]) enigmailCommon.jsm: decryptMessageEnd: command execution exit code: 2
[...]

== Notes ==
The above problem does not seem to occur when an email is both signed '''and''' encrypted (i.e., colored notification bar shows up when using qubes-gpg-split.)
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by axon on 13 Feb 2015 15:07 UTC
Another user has (possibly) encountered a more general instance of this bug:

https://groups.google.com/d/msg/qubes-users/u9jRJZ-rMWE/PKy-DaWqm_kJ
Member

marmarek commented Mar 8, 2015

Comment by axon on 13 Feb 2015 15:07 UTC
Another user has (possibly) encountered a more general instance of this bug:

https://groups.google.com/d/msg/qubes-users/u9jRJZ-rMWE/PKy-DaWqm_kJ
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by axon on 13 Feb 2015 16:52 UTC
The general problem seems to be that qubes-gpg-client does not accept certain arguments:

[~](user@work)$ /usr/bin/qubes-gpg-client-wrapper --list-keys 0xA4ECAE9C8E97231E
open: No such file or directory

Without a key ID argument, the command works as expected:

[~](user@work)$ /usr/bin/qubes-gpg-client-wrapper --list-keys
/home/user/.gnupg/pubring.gpg
-----------------------------
pub   4096R/8E97231E 2013-10-03
uid                  Axon. <axon@openmailbox.org>
sub   4096R/7544F57C 2014-08-07 [2015-10-03](expires:)
sub   4096R/635234AF 2014-08-07 [2015-10-03](expires:)
[problem is that programs like Enigmail expect such arguments to be supported, since GPG itself accepts them:

[user@work-gpg ~](...]


The)$ gpg --list-keys 0xA4ECAE9C8E97231E
pub   4096R/8E97231E 2013-10-03
uid                  Axon. <axon@openmailbox.org>
sub   4096R/7544F57C 2014-08-07 [2015-10-03](expires:)
sub   4096R/635234AF 2014-08-07 [2015-10-03](expires:)

...so they try to use them, and it fails:

Initializing Enigmail service ...
EnigmailAgentPath=/usr/bin/qubes-gpg-client-wrapper
[...]
enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys 0xA4ECAE9C8E97231E
open: No such file or directory
Member

marmarek commented Mar 8, 2015

Comment by axon on 13 Feb 2015 16:52 UTC
The general problem seems to be that qubes-gpg-client does not accept certain arguments:

[~](user@work)$ /usr/bin/qubes-gpg-client-wrapper --list-keys 0xA4ECAE9C8E97231E
open: No such file or directory

Without a key ID argument, the command works as expected:

[~](user@work)$ /usr/bin/qubes-gpg-client-wrapper --list-keys
/home/user/.gnupg/pubring.gpg
-----------------------------
pub   4096R/8E97231E 2013-10-03
uid                  Axon. <axon@openmailbox.org>
sub   4096R/7544F57C 2014-08-07 [2015-10-03](expires:)
sub   4096R/635234AF 2014-08-07 [2015-10-03](expires:)
[problem is that programs like Enigmail expect such arguments to be supported, since GPG itself accepts them:

[user@work-gpg ~](...]


The)$ gpg --list-keys 0xA4ECAE9C8E97231E
pub   4096R/8E97231E 2013-10-03
uid                  Axon. <axon@openmailbox.org>
sub   4096R/7544F57C 2014-08-07 [2015-10-03](expires:)
sub   4096R/635234AF 2014-08-07 [2015-10-03](expires:)

...so they try to use them, and it fails:

Initializing Enigmail service ...
EnigmailAgentPath=/usr/bin/qubes-gpg-client-wrapper
[...]
enigmail> /usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys 0xA4ECAE9C8E97231E
open: No such file or directory
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 18 Feb 2015 01:31 UTC
http://git.qubes-os.org/?p=marmarek/qubes-app-linux-split-gpg.git;a=commit;h=b3916f618bcad897065e2be4eaba625ac74ecf89
http://git.qubes-os.org/?p=marmarek/qubes-app-linux-split-gpg.git;a=commit;h=751e68893e9cfc101ea57f1adfa5098f10b4efd0

Detached signature handling is quite dump, but should work. Limitations:

  • path given as the first argument to --verify must be at long enough to fit "/dev/fd/FD" string; Thunderbird uses "/tmp/data.sig" which is ok
  • in some cases the code can deadlock (when client writes one input data, but the gpg process at server side waits for the other); this shouldn't happen with any sane signature (under 4096 bytes)
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 18 Feb 2015 01:31 UTC
http://git.qubes-os.org/?p=marmarek/qubes-app-linux-split-gpg.git;a=commit;h=b3916f618bcad897065e2be4eaba625ac74ecf89
http://git.qubes-os.org/?p=marmarek/qubes-app-linux-split-gpg.git;a=commit;h=751e68893e9cfc101ea57f1adfa5098f10b4efd0

Detached signature handling is quite dump, but should work. Limitations:

  • path given as the first argument to --verify must be at long enough to fit "/dev/fd/FD" string; Thunderbird uses "/tmp/data.sig" which is ok
  • in some cases the code can deadlock (when client writes one input data, but the gpg process at server side waits for the other); this shouldn't happen with any sane signature (under 4096 bytes)

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment