[tbb-bugs] #14187 [Tor Browser]: use OpenPGP notations to sign the names of files to prevent file name tampering

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 13 00:46:28 UTC 2015 

#14187: use OpenPGP notations to sign the names of files to prevent file name
tampering
-------------------------+--------------------------
 Reporter:  proper       |          Owner:  tbb-team
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+--------------------------
 Since 'GPG signatures do not authenticate filenames' (#2340), consider
 using OpenPGP notations to embed the name of the file within the gpg
 signature.

 Try this:

 {{{
 echo "test" > x
 gpg --armor --set-notation file at name="x" --detach-sign x
 gpg --verify-options show-notations --verify x.asc
 }}}

 Example output:

 {{{
 ~ $ echo "test" > x
 ~ $ gpg --armor --set-notation file at name="x" --detach-sign x

 You need a passphrase to unlock the secret key for
 user: "Patrick Schleizer <adrelanos at riseup.net>"
 4096-bit RSA key, ID 77BB3C48, created 2014-01-16 (main key ID 2EEACCDA)

 ~ $ gpg --verify-options show-notations --verify x.asc
 gpg: Signature made Mon 12 Jan 2015 11:13:19 PM UTC using RSA key ID
 77BB3C48
 gpg: Good signature from "Patrick Schleizer <adrelanos at riseup.net>"
 [ultimate]
 gpg: Signature notation: issuer-
 fpr at notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
 gpg: Signature notation: file at name=x
 ~ $
 }}}

 You could then consider telling users in [https://www.torproject.org/docs
 /verifying-signatures.html.en verification documentation] to add
 `--verify-options show-notations` to their `gpg --verify` command to
 verify file names.

 Not a perfect solution, but a lightweight one. Could be the first step to
 something better. Can be easily done and automated by a signature creation
 shell script, that you might already have?

 (Asked about this on the [http://lists.gnupg.org/pipermail/gnupg-
 users/2015-January/052191.html gnupg-users mailing list] by the way.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14187>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list