[Gnu-arch-users] (fairly minor) SECURITY ISSUE

[Tom Lord]

Oh, this just blows.

So, a checksum file produced with gpg signing looks something like this:

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1

  Signature-for: address@hidden/tla--devo--1.2--patch-42
  md5 log 125cdb8180b8c02741531aa2b2b547ca
  md5 tla--devo--1.2--patch-42.patches.tar.gz b49b6cc662454ca8ffa91269be75a4f4
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.2.2 (FreeBSD)

  iD8DBQE/76rkYiL4ten68SkRAsswAKCSGWt5ujzBqwYGIU0u51n1SUlRygCfWdui
  NzrkjNvPg0iDaMbuDUcGrYk=
  =NDB+
  -----END PGP SIGNATURE-----

However, gpg --verify-files will quite happily report a good signature
for a file that looks like this:

  Signature-for: address@hidden/tla--devo--1.2--patch-42
  md5 log completely-bogus-checksum
  md5 tla--devo--1.2--patch-42.patches.tar.gz completely-bogus-checksum
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1

  Signature-for: address@hidden/tla--devo--1.2--patch-42
  md5 log 125cdb8180b8c02741531aa2b2b547ca
  md5 tla--devo--1.2--patch-42.patches.tar.gz b49b6cc662454ca8ffa91269be75a4f4
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.2.2 (FreeBSD)

  iD8DBQE/76rkYiL4ten68SkRAsswAKCSGWt5ujzBqwYGIU0u51n1SUlRygCfWdui
  NzrkjNvPg0iDaMbuDUcGrYk=
  =NDB+
  -----END PGP SIGNATURE-----

which is, of course, a security problem.

.check files in ~/.arch-params/signing need to be revised.

Anyone care to suggest the best revision?

(Sorry to reveal an exploit so plainly but it seemed to me that this
was the best way to handle it at this stage since pre0 was announced
with the caveat "please help us review these new features".)

(Incidentally, I don't want to have tla itself scan for the "PGP
SIGNED MESSAGE" line because I don't want tla to depend on using
pgp-family tools for signing.)

-t