[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] signatures and checking
From: |
Tom Lord |
Subject: |
Re: [Gnu-arch-users] signatures and checking |
Date: |
Mon, 26 Jan 2004 19:19:39 -0800 (PST) |
> From: Andrew Suffield <address@hidden>
> On Mon, Jan 26, 2004 at 04:58:51PM -0800, Tom Lord wrote:
> > So I'm back to thinking that the right short term fix for the security
> > issue is just to provide, say, an awk script that users can use
> > instead of calling gpg (or agpg or whatever) directly in their .check
> > files.
> What do you think this script should do?
> The only way it can possibly work that I can see, is to reimplement
> the packet parser from gpg. That's hard; I looked at the code and it's
> extremely complicated. There are heaps of things that gpg will
> consider valid signed data; the clearsigned openpgp message that we're
> currently using are a tiny subset of the range of things that gpg can
> handle.
The script doesn't have to handle everything that gpg could possibly
generate -- only what it _does_ generate for this particular case.
Since you've looked at the gpg code: what's wrong with the enclosed --
invoked as something like:
./this-script gpg_command="agpg --verify-files -"
-t
#!gawk -f
/-----BEGIN PGP SIGNED MESSAGE-----/ {
if (first_line_seen)
{
bogosity = 1;
exit;
}
else
{
print $0 | gpg_command;
first_line_seen = 1;
}
next;
}
/-----END PGP SIGNATURE-----/ {
if (!first_line_seen)
{
bogosity = 1;
exit;
}
else
{
print $0 | gpg_command;
last_line_seen = 1;
}
next;
}
{
if (!first_line_seen || last_line_seen)
{
bogosity = 1;
exit;
}
else
{
print $0 | gpg_command;
}
next;
}
END {
if (bogosity || close(gpg_command))
{
exit 1;
}
else
{
exit 0;
}
}
- Re: [Gnu-arch-users] Re: signatures and checking, (continued)
- [Gnu-arch-users] Re: signatures and checking, Miles Bader, 2004/01/26
- [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Andrew Suffield, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Robert Collins, 2004/01/27
- Re: [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/27
- [Gnu-arch-users] Re: signatures and checking, Neil Stevens, 2004/01/26
Re: [Gnu-arch-users] signatures and checking, Andrew Suffield, 2004/01/26
- Re: [Gnu-arch-users] signatures and checking,
Tom Lord <=
Re: [Gnu-arch-users] signatures and checking, Robert Collins, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27