Delivery-Date: Sat, 28 Feb 2015 08:28:13 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,
	URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 351821E04F8
	for <archiver@seul.org>; Sat, 28 Feb 2015 08:28:11 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3786433D7E;
	Sat, 28 Feb 2015 13:28:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id AAE8733C35
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 13:28:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4hDh2G3tUURl for <tor-talk@lists.torproject.org>;
 Sat, 28 Feb 2015 13:28:02 +0000 (UTC)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 8AC8F337B0
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 13:28:02 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id 6FBAE203CF
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 08:27:58 -0500 (EST)
Received: from web6 ([10.202.2.216])
 by compute2.internal (MEProxy); Sat, 28 Feb 2015 08:27:59 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.fm; h=
 message-id:x-sasl-enc:from:to:mime-version
 :content-transfer-encoding:content-type:in-reply-to:references
 :subject:date; s=mesmtp; bh=lvruXrcw5Q65ckc+1GO7hkYHovg=; b=djM9
 dhAFzfovzXLbBRht4whZhW870YH2CPqfnSAX44S/GdcfPbdhLZnhNnmCfWficWIy
 YkUkHrT3RNZidPzJD9WQAiOJ1obkbcGLXjCZtgH35exDP3LRNVsvSpS0xSJZUkPr
 LYYIdtX28PvNY1EfiCnez/BSmERxi8MNzbFCV9o=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=message-id:x-sasl-enc:from:to
 :mime-version:content-transfer-encoding:content-type:in-reply-to
 :references:subject:date; s=smtpout; bh=lvruXrcw5Q65ckc+1GO7hkYH
 ovg=; b=r1qz1Nblpkv4Y918BEL725G4fqpkCUqQJCUEJfSuZpCPYCiP9IKIhIME
 2VC3XG5UnxVRa13kdXN7Y5qMsQWRpJZNuWHxihN01Bm1Ea0jR+9ibWi6T8E2SGgz
 7hE00XH9vh0B3hs/lhsje8zee10S8iLDBU5DoHjZEZ/OvJQF4Qw=
Received: by web6.nyi.internal (Postfix, from userid 99)
 id 3CC64104DF8; Sat, 28 Feb 2015 08:27:59 -0500 (EST)
Message-Id: <1425130079.1646121.233614441.35E2D594@webmail.messagingengine.com>
X-Sasl-Enc: bTr5Nzo4x+hjPyh2EHd81puGmLZBS8MhMz0zR9jFlWNs 1425130079
From: andre76@fastmail.fm
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Mailer: MessagingEngine.com Webmail Interface - html
In-Reply-To: <20150227132458.GE2262@mars-attacks.org>
References: <1424955764.2354591.232742237.2CF4B4C5@webmail.messagingengine.com>
 <20150226165538.GA24850@blues.local.sinic.name>
 <1425041044.54292.233221517.5204784B@webmail.messagingengine.com>
 <20150227132458.GE2262@mars-attacks.org>
Date: Sat, 28 Feb 2015 14:27:59 +0100
Subject: Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>



On Fri, Feb 27, 2015, at 02:24 PM, Nicolas Vigier wrote:
> On Fri, 27 Feb 2015, andre76@fastmail.fm wrote:
> 
> > 
> > 
> > On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> > > andre76@fastmail.fm wrote:
> > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc                
> > > 
> > > Note that calling gpg --verify with a detached signature as its only
> > > argument is insecure (later versions of GnuPG should emit a warning).
> > > See my message to Gnupg-users and subsequent responses for details:
> > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> > > 
> > 
> > I could read those responses until the end of time and wouldn't
> > understand anything.
> > 
> > Could you tell me what I'm supposed to enter in Terminal to get a
> > response that indicates a good file or a bad file?
> > 
> > Here's what I entered (2 separate ways);
> > 
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> > tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> > 
> > gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> > F65C2036
> > gpg: BAD signature from "Tor Browser Developers (signing key)
> > <torbrowser@torproject.org>"
> > 
> > 
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> > tor-browser-linux32-4.0.4_en-US.tar.xz
> 
> The good one is the second one: giving the signature file as first
> argument, and the file to be checked as second argument.
> 
> The problem with giving only one argument is that if the .asc file
> contains some text with an in-line signature (rather than what people
> would expected: a detached signature for the .tar.xz file), then gpg
> will only verify this inline signature and ignore the .tar.xz file.
> And the output only tells you that there is a good signature, so you
> can't see that the .tar.xz file was not checked.
> 
> Example:
> 
>  $ echo 'some text' > some_file.txt
>  $ gpg --clearsign some_file.txt
>  $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> 
> Now the gpg command tells us the signature is good, although it has
> nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz:
> 
>  $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
>  gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET
>  gpg:                using RSA key 2067001B1B678A63
>  gpg: Good signature from "Nicolas Vigier (boklm)
>  <boklm@mars-attacks.org>"
>  gpg:                 aka "Nicolas Vigier (boklm) <boklm@torproject.org>"
> 
> But with 2 arguments it tells us something is wrong:
> 
>  $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
>  tor-browser-linux32-4.0.4_en-US.tar.xz
>  gpg: not a detached signature


When run in Terminal this is what happens;

$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz 
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: BAD signature from "Tor Browser Developers (signing key)
<torbrowser@torproject.org>"

I have no idea what all of this means but when I see something that says
"BAD signature" that tells me something is wrong.

Is the tar.xz file bad and suspect?

What must be done to fix this?


> 
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> Email had 1 attachment:
> + Attachment1.2
>   1k (application/pgp-signature)

-- 
http://www.fastmail.com - Send your email first class

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

