[Pkg-gnupg-maint] Bug#612462: Bug#612462: gnupg: Please provide a win32 port of gpgv

Wed Feb 9 10:35:15 UTC 2011

Le Tuesday 8 February 2011 20:36:37 Thijs Kinkhorst, vous avez écrit :
> On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> > a current flaw of the standalone version of win32-loader (source and
> > binary package in Debian) is that it downloads the d-i kernel and
> > initrds through Internet without any form of checking that those are
> > authenticated binaries from the Debian project (see #442180 for
> > details).
> > 
> > In order to solve this, the Windows executable needs to check the
> > signature on the downloaded Release{,.gpg} file and then check the
> > md5sums of various files. The md5sum checksum verification is already
> > implemented (although not uploaded yet) with a md5sum implementation
> > internal to NSIS. There are still missing pieces on FTP-Master side (see
> > #611087, which will get solved in their upcoming meeting, I heard), but
> > I would also need a gpgv.exe that could run on the target Windows host,
> > to check the downloaded Release{,.gpg} files.
> 
> I'm not aversive to this plan but I do not completely understand it. You
> need gpgv.exe on the Windows platform, but you cannot install debs there,
> right? So what would the role of this deb be exactly?

Hi Thijs,

thanks for your rapid answer.

This new binary package would serve the same purpose (and is designed likewise) 
as cpio-win32 or gzip-win32: they are Build-Depends of win32-loader.

During the win32-loader build, they get "embedded" in the win32-loader.exe 
Windows executable. When launched, this executable collects some informations 
from the running Windows host and then uses cpio.exe and gzip.exe to repack a 
new initrd with embedded preseeding.

(The executables are embedded in the win32-loader.exe using the
  File /oname=$INSTDIR\cpio.exe /usr/share/win32/cpio.exe
  File /oname=$INSTDIR\gzip.exe /usr/share/win32/gzip.exe
commands (in s_install.nsi in current win32-loader git). First argument being 
the path in Windows, second being the (build-)source of said executables.)

Hence I would like to bundle gpgv.exe similarly, in order to unpack it in the
C:\win32-loader path ($INSTDIR above), to be able to check Release file 
signatures, on the Windows host.

Is that clearer ? I can develop furthermore if needed.

> Also I cannot test it. Would you assume responsibility for dealing with
> potential bug reports for this?

If your Debian can run wine, gpgv.exe runs correctly under wine (although with 
glitches around path handling in the --keyring option; which are 
workaround'able).

But yes, I can handle this, and I'll make sure to be subscribed to gnupg's 
bugreports if my patch gets accepted.

Cheers,

OdyX

-- 
Didier Raboud, proud Debian Developer.
CH-1020 Renens
odyx at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20110209/d1a49aba/attachment.pgp>