gpg --verify is insecure for verification of --clearsigned files

[adrelanos]

gpg --verify is insecure for verification of --clearsigned files. Counter intuitive. But gpg --decrypt should be used instead.

Hard to explain with words. But code and output talks. See:
https://gist.github.com/adrelanos/defdf9d693c2726514fd

Line in question:
https://github.com/martincmelik/Securix-Linux/blob/14e4fd445235e4bf384fd8ffb65e1c43d7bfe9ac/securix-install/install.sh#L823

[adrelanos]

Yet to be solved. Updated the title and description of this ticket.

[adrelanos]

See this thread "Are there cases where gpg --verify will exit 0, even if verification failed?":
http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052212.html

They seem to disagree? But we should take Werner Koch seriously.

Werner Koch:

On Wed, 14 Jan 2015 14:40, dkg@fifthhorseman.net said:

gpg does use the return code to indicate failure of signature
verification.

But recall that success does not mean that the signature is good.
Check the status output or use gpgv.

http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052228.html

[adrelanos]

I still don't know specific cases, but Werner Koch is very clear about this.

Werner Koch:

Do you mean, for example, the signature could be valid, but the key that
signed it could be revoked and gpg would still exit 0?

Sure. It is just to complex to put it into one number. Consider the
case for multiple signatures - who is going to decide whether the
signature is valid. This has all been discussed about 15 years ago
with the result of writing the gpgv binary which is suitable for most
automated signature verification use cases.

http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052232.html

[adrelanos]

Is there a shell script or bash library for parsing gpg's --status-fd output?:

• http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052230.html
• https://lists.gnu.org/archive/html/help-bash/2015-01/msg00024.html
• https://security.stackexchange.com/questions/79261/is-there-a-shell-script-or-bash-library-for-parsing-gpgs-status-fd-output

No answers yet.

[martinholovsky]

thats ironic, isnt it? gpgv is not in default portage tree
I might add securix signature to verified files and discard gpg completely

[adrelanos]

discard gpg completely

I'd find that very wrong. Killing the patient doesn't count for healing the sickness. ;)

Created a gpg-bash-lib in meanwhile:
https://github.com/Whonix/gpg-bash-lib

Still lacks documentation, but I think it's a sound solution. No negative feedback yet, but also no other users.

Usage examples:

• https://github.com/Whonix/whonixcheck/blob/be8aea5752d1254f4b8d0fa481c3217a39f948b9/usr/lib/whonixcheck/check_news#L122
• https://github.com/Whonix/tb-updater/blob/3547a23d52e009647419a3fbd10c9bedc71a3a9d/usr/bin/update-torbrowser#L902
• https://github.com/Whonix/tb-updater/blob/3547a23d52e009647419a3fbd10c9bedc71a3a9d/usr/bin/update-torbrowser#L987

Shall I send a pull request that adapts it?

[martinholovsky]

Hi, I saw it already, but its too much code.
btw did you consider different timezone, when you're checking date and time of signature? I have seen there unix time, which should be OK, but I'm not yet oriented in your code.

regarding pull request: if it could be compressed into 10 lines, then sure :]

[adrelanos]

Late answer but better than never.

btw did you consider different timezone, when you're checking date and time of signature? I have seen there unix time, which should be OK, but I'm not yet oriented in your code.

Yes. It's all unix time. Nothing depends on timezone.