gnu-arch-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] signatures and checking


From: Tom Lord
Subject: Re: [Gnu-arch-users] signatures and checking
Date: Mon, 26 Jan 2004 19:19:39 -0800 (PST)


    > From: Andrew Suffield <address@hidden>

    > On Mon, Jan 26, 2004 at 04:58:51PM -0800, Tom Lord wrote:
    > > So I'm back to thinking that the right short term fix for the security
    > > issue is just to provide, say, an awk script that users can use
    > > instead of calling gpg (or agpg or whatever) directly in their .check
    > > files.

    > What do you think this script should do?

    > The only way it can possibly work that I can see, is to reimplement
    > the packet parser from gpg. That's hard; I looked at the code and it's
    > extremely complicated. There are heaps of things that gpg will
    > consider valid signed data; the clearsigned openpgp message that we're
    > currently using are a tiny subset of the range of things that gpg can
    > handle.

The script doesn't have to handle everything that gpg could possibly
generate -- only what it _does_ generate for this particular case.

Since you've looked at the gpg code: what's wrong with the enclosed --
invoked as something like:

        ./this-script gpg_command="agpg --verify-files -"


-t


#!gawk -f

/-----BEGIN PGP SIGNED MESSAGE-----/ {
  if (first_line_seen) 
    {
      bogosity = 1;
      exit;
    }
  else
    {
      print $0 | gpg_command;
      first_line_seen = 1;
    }
  next;
}


/-----END PGP SIGNATURE-----/ {
  if (!first_line_seen)
    {
      bogosity = 1;
      exit;
    }
  else
    {
      print $0 | gpg_command;
      last_line_seen = 1;
    }
  next;
}


{
  if (!first_line_seen || last_line_seen)
    {
      bogosity = 1;
      exit;
    }
  else
    {
      print $0 | gpg_command;
    }
  next;
}

END {
 if (bogosity || close(gpg_command))
   {
     exit 1;
   }
 else
   {
     exit 0;
   }
}





reply via email to

[Prev in Thread] Current Thread [Next in Thread]