Delivery-Date: Fri, 27 Feb 2015 08:25:10 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 4D8001E04E7
	for <archiver@seul.org>; Fri, 27 Feb 2015 08:25:08 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2D82E33C3A;
	Fri, 27 Feb 2015 13:25:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id C1AF233C35
 for <tor-talk@lists.torproject.org>; Fri, 27 Feb 2015 13:25:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 1aD6JOOr7JY7 for <tor-talk@lists.torproject.org>;
 Fri, 27 Feb 2015 13:25:01 +0000 (UTC)
Received: from mx0.mars-attacks.org (mx0.mars-attacks.org
 [IPv6:2001:4b98:dc0:43:216:3eff:fefd:2409])
 by eugeni.torproject.org (Postfix) with ESMTP id 7030433C34
 for <tor-talk@lists.torproject.org>; Fri, 27 Feb 2015 13:25:01 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by mx0.mars-attacks.org (Postfix) with ESMTPS id 96D58C51
 for <tor-talk@lists.torproject.org>; Fri, 27 Feb 2015 14:24:58 +0100 (CET)
Received: by wxy.mars-attacks.org (Postfix, from userid 1000)
 id 31CB11E043B; Fri, 27 Feb 2015 14:24:58 +0100 (CET)
Date: Fri, 27 Feb 2015 14:24:58 +0100
From: Nicolas Vigier <boklm@mars-attacks.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150227132458.GE2262@mars-attacks.org>
References: <1424955764.2354591.232742237.2CF4B4C5@webmail.messagingengine.com>
 <20150226165538.GA24850@blues.local.sinic.name>
 <1425041044.54292.233221517.5204784B@webmail.messagingengine.com>
MIME-Version: 1.0
In-Reply-To: <1425041044.54292.233221517.5204784B@webmail.messagingengine.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5848884402098295640=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============5848884402098295640==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="WplhKdTI2c8ulnbP"
Content-Disposition: inline


--WplhKdTI2c8ulnbP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, 27 Feb 2015, andre76@fastmail.fm wrote:

>=20
>=20
> On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> > andre76@fastmail.fm wrote:
> > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc            =
   =20
> >=20
> > Note that calling gpg --verify with a detached signature as its only
> > argument is insecure (later versions of GnuPG should emit a warning).
> > See my message to Gnupg-users and subsequent responses for details:
> > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> >=20
>=20
> I could read those responses until the end of time and wouldn't
> understand anything.
>=20
> Could you tell me what I'm supposed to enter in Terminal to get a
> response that indicates a good file or a bad file?
>=20
> Here's what I entered (2 separate ways);
>=20
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc=20
> tor-browser-linux32-4.0.4_en-US.tar.xz.asc
>=20
> gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> F65C2036
> gpg: BAD signature from "Tor Browser Developers (signing key)
> <torbrowser@torproject.org>"
>=20
>=20
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc=20
> tor-browser-linux32-4.0.4_en-US.tar.xz

The good one is the second one: giving the signature file as first
argument, and the file to be checked as second argument.

The problem with giving only one argument is that if the .asc file
contains some text with an in-line signature (rather than what people
would expected: a detached signature for the .tar.xz file), then gpg
will only verify this inline signature and ignore the .tar.xz file.
And the output only tells you that there is a good signature, so you
can't see that the .tar.xz file was not checked.

Example:

 $ echo 'some text' > some_file.txt
 $ gpg --clearsign some_file.txt
 $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc

Now the gpg command tells us the signature is good, although it has
nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz:

 $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc=20
 gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET
 gpg:                using RSA key 2067001B1B678A63
 gpg: Good signature from "Nicolas Vigier (boklm) <boklm@mars-attacks.org>"
 gpg:                 aka "Nicolas Vigier (boklm) <boklm@torproject.org>"

But with 2 arguments it tells us something is wrong:

 $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linu=
x32-4.0.4_en-US.tar.xz
 gpg: not a detached signature


--WplhKdTI2c8ulnbP
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU8HAqAAoJECBnABsbZ4pjnFEP/jbiAfxL3ptFZldX5DRQF86T
JLdwMdd3ouKHihYlJnN36OUXuX7nJQvgQazGQdTuuSrUYl1inF8sq7DdH21vcIG4
m7Bn5AHmjHvu0ep41fbNKZaEuiSTsmmAxOf+AX3G0fVorrd3jPt9uy1mLam1FQWy
LNyTB1kDKeAn1Y6hkkx1CHz1LbM9GfTpNtW1oHAceYsc+Bzl4vse4Dy4HzSY295+
tOttlGnVf0MuGD5LnTvXaIBOR5S3PrQlcFljB+5pA/EH+AnYeLbz0pEHGM1oyZx5
biroRIMI2bGg0mOARbfW5i5JLlXikLOA2hVsz6p6r5ZTCV59hS8nflLsgSM7o0We
Bk7CRL6rxYFg2/29UEstruh6ZuvknQoyXreo47sL9h3JIc8yaq4yVgxIjGFAWgr8
3NQHmEQvwEGB+ecPi2B0Zclw4L/sP9OswTzPj/dt8yyHXSNpV/QdqNJKGVtC/r2T
Em27OoRvOuTQVh0+E+RUugB0dFtXMXqLmqslpdPRMCpjODwQCZKEnCX3vRwWM6Sc
coS/Bnah6m1apC/2dCmpVyDmA9M8x7JdIFN7BAcZqI3a4QDIruODrzPDHdOofgUI
24SBuCeYGOEWLIMFKgwa4NCrPGHgQ3Hb5cDV2dFKjnpxJVZXcxHgUmYoeK9TBpgh
IChi7DwUMwIlMs4uBhg2
=VpvI
-----END PGP SIGNATURE-----

--WplhKdTI2c8ulnbP--

--===============5848884402098295640==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============5848884402098295640==--

