[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4




On Fri, Feb 27, 2015, at 02:24 PM, Nicolas Vigier wrote:
> On Fri, 27 Feb 2015, andre76@fastmail.fm wrote:
> 
> > 
> > 
> > On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> > > andre76@fastmail.fm wrote:
> > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc                
> > > 
> > > Note that calling gpg --verify with a detached signature as its only
> > > argument is insecure (later versions of GnuPG should emit a warning).
> > > See my message to Gnupg-users and subsequent responses for details:
> > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> > > 
> > 
> > I could read those responses until the end of time and wouldn't
> > understand anything.
> > 
> > Could you tell me what I'm supposed to enter in Terminal to get a
> > response that indicates a good file or a bad file?
> > 
> > Here's what I entered (2 separate ways);
> > 
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> > tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> > 
> > gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> > F65C2036
> > gpg: BAD signature from "Tor Browser Developers (signing key)
> > <torbrowser@torproject.org>"
> > 
> > 
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
> > tor-browser-linux32-4.0.4_en-US.tar.xz
> 
> The good one is the second one: giving the signature file as first
> argument, and the file to be checked as second argument.
> 
> The problem with giving only one argument is that if the .asc file
> contains some text with an in-line signature (rather than what people
> would expected: a detached signature for the .tar.xz file), then gpg
> will only verify this inline signature and ignore the .tar.xz file.
> And the output only tells you that there is a good signature, so you
> can't see that the .tar.xz file was not checked.
> 
> Example:
> 
>  $ echo 'some text' > some_file.txt
>  $ gpg --clearsign some_file.txt
>  $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc
> 
> Now the gpg command tells us the signature is good, although it has
> nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz:
> 
>  $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
>  gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET
>  gpg:                using RSA key 2067001B1B678A63
>  gpg: Good signature from "Nicolas Vigier (boklm)
>  <boklm@mars-attacks.org>"
>  gpg:                 aka "Nicolas Vigier (boklm) <boklm@torproject.org>"
> 
> But with 2 arguments it tells us something is wrong:
> 
>  $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
>  tor-browser-linux32-4.0.4_en-US.tar.xz
>  gpg: not a detached signature


When run in Terminal this is what happens;

$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz 
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: BAD signature from "Tor Browser Developers (signing key)
<torbrowser@torproject.org>"

I have no idea what all of this means but when I see something that says
"BAD signature" that tells me something is wrong.

Is the tar.xz file bad and suspect?

What must be done to fix this?


> 
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> Email had 1 attachment:
> + Attachment1.2
>   1k (application/pgp-signature)

-- 
http://www.fastmail.com - Send your email first class

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk