[Pkg-gnupg-maint] Bug#704645: Processed: Re: Bug#704613: cdebootstrap: signature verification bypass with manipulated InRelease file

[Thijs Kinkhorst]

retitle 704645 gpg --verify suggests entire file was verified, even if file contains auxiliary data
thanks

Hi,

After some discussion I've come to the following description of this request
(submitters, please correct or augment where necessary):

"gpg --verify <filename>" returns a binary answer: has a valid signature,
doesn't have a valid signature. This is described in the man page as "Assume
that the first argument is a signed file or a detached signature and verify
it without generating any output."

This works well for detached signatures or for files that contain only a
clearsigned message and nothing else. The problem comes in when somewhere in
a file a valid block of clearsigned text is present, but this block is
preceded or followed by auxiliary data. Running "gpg --verify" on that file
results in an assertion that "the file" has a "valid signature" while in
fact only a part of the file was verified with no way of knowing which.

As it turned out, implementors have been assuming that running
"gpg --verify" on a file yields enough information to further process
that file as if all data in it were correctly signed. It has been
argued that running "gpg --verify" in its current form on a clearsigned
file is useless as it only tells you that that "something somewhere in
that file has a valid signature".

(There is currently a working way to verify and extract only the signed
data, which is by using --status-fd and parsing its output.)

I'm seeking input from GnuPG upstream for their view on this case.


Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20130406/f36c58c5/attachment.pgp>