Opened 4 years ago

Last modified 18 months ago

#14187 new enhancement

use OpenPGP notations to sign the names of files to prevent file name tampering

Reported by: proper Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: proper Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since 'GPG signatures do not authenticate filenames' (#2340), consider using OpenPGP notations to embed the name of the file within the gpg signature.

Try this:

echo "test" > x
gpg --armor --set-notation file@name="x" --detach-sign x
gpg --verify-options show-notations --verify x.asc

Example output:

~ $ echo "test" > x
~ $ gpg --armor --set-notation file@name="x" --detach-sign x

You need a passphrase to unlock the secret key for
user: "Patrick Schleizer <adrelanos@riseup.net>"
4096-bit RSA key, ID 77BB3C48, created 2014-01-16 (main key ID 2EEACCDA)

~ $ gpg --verify-options show-notations --verify x.asc
gpg: Signature made Mon 12 Jan 2015 11:13:19 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=x
~ $ 

You could then consider telling users in verification documentation to add --verify-options show-notations to their gpg --verify command to verify file names.

Not a perfect solution, but a lightweight one. Could be the first step to something better. Can be easily done and automated by a signature creation shell script, that you might already have?

(Asked about this on the gnupg-users mailing list by the way.)

Child Tickets

Change History (3)

comment:1 Changed 4 years ago by cypherpunks

Instead of writing file@name="x" one can incorporate name of file in namespace of OpenPGP notation itself as filename@torproject.org.

comment:2 in reply to:  1 Changed 4 years ago by proper

Replying to cypherpunks:

Instead of writing file@name="x" one can incorporate name of file in namespace of OpenPGP notation itself as filename@torproject.org.

I think it's best if OpenPGP notations follow existing conventions. For example, issuer-fpr@notations.openpgp.fifthhorseman.net is one of the more common ones. Notations might even be standardized one day. Now, for file name there isn't a convention yet, but I think filename@torproject.org isn't a good idea, because it's difficult to parse with general purpose gpg verification tools. (Both keywords, filename and homepage are variable.) Ideally, this becomes a common convention and perhaps even one day gpg [or wrappers] start using it.

comment:3 Changed 18 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.