Opened 6 years ago

Last modified 3 years ago

#14187 new enhancement

use OpenPGP notations to sign the names of files to prevent file name tampering

Reported by: proper Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: proper Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Since 'GPG signatures do not authenticate filenames' (#2340), consider using OpenPGP notations to embed the name of the file within the gpg signature.

Try this:

echo "test" > x
gpg --armor --set-notation file@name="x" --detach-sign x
gpg --verify-options show-notations --verify x.asc

Example output:

~ $ echo "test" > x
~ $ gpg --armor --set-notation file@name="x" --detach-sign x

You need a passphrase to unlock the secret key for
user: "Patrick Schleizer <>"
4096-bit RSA key, ID 77BB3C48, created 2014-01-16 (main key ID 2EEACCDA)

~ $ gpg --verify-options show-notations --verify x.asc
gpg: Signature made Mon 12 Jan 2015 11:13:19 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <>" [ultimate]
gpg: Signature notation:
gpg: Signature notation: file@name=x
~ $ 

You could then consider telling users in verification documentation to add --verify-options show-notations to their gpg --verify command to verify file names.

Not a perfect solution, but a lightweight one. Could be the first step to something better. Can be easily done and automated by a signature creation shell script, that you might already have?

(Asked about this on the gnupg-users mailing list by the way.)

Child Tickets

Change History (3)

comment:1 Changed 6 years ago by cypherpunks

Instead of writing file@name="x" one can incorporate name of file in namespace of OpenPGP notation itself as

comment:2 in reply to:  1 Changed 6 years ago by proper

Replying to cypherpunks:

Instead of writing file@name="x" one can incorporate name of file in namespace of OpenPGP notation itself as

I think it's best if OpenPGP notations follow existing conventions. For example, is one of the more common ones. Notations might even be standardized one day. Now, for file name there isn't a convention yet, but I think isn't a good idea, because it's difficult to parse with general purpose gpg verification tools. (Both keywords, filename and homepage are variable.) Ideally, this becomes a common convention and perhaps even one day gpg [or wrappers] start using it.

comment:3 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.