Doug Bateman wrote: > I challenged myself to verify all software that I download on my new > machine is verified and signed. Sadly, Win-GnuPG let me down. Heres why.
What's Win-GnuPG? Are you referring to the windows installer build of GnuPG from http://www.gnupg.org/download/ as such? It's just GnuPG. > Most software was distributed as a signed .exe file (using the Windows > signed .EXE format). Some was not signed, but available via an https > connection, allowing me to verify the originating source. And some, > such as Gygwin, WinGnuPG, and sha1sum, required I already have GnuPG or > sha1sum already installed to verify the .sig. Of course, this creates a > bootstrapping problem for several reasons: 1) These .exe's aren't signed > windows .exe's, 2) They aren't available via https (and thus can't > ensure there isnt' a man-in-the middle), and 3) Even if I had sha1sum, > I'd have to use http and not https to download the .sig file, allowing > for the man-in-the-middle to deliver a checksum matching his hacked version. > > Using GnuPG to verify downloads does nothing, if I can't verify that > GnuPG itself isn't valid. I believe the Windows signed .EXE format is X.509 cert based and as such isn't going to help much if the signing certificate doesn't chain back to Windows set of root certs. COTS products will probably invest the money to implement this, it's unlikely for F/OSS. It also assumes the Microsoft technology to create Authenticode signatures is available to F/OSS developers. Your MITM scenarios leave out the crucial step of your attacker also needing to possess Werner Koch's signing key. The .SIG is not just a checksum, it is a digital signature. The verification looks like this: $ gpg -v gnupg-w32cli-1.4.9.exe.sig gpg: assuming signed data in `gnupg-w32cli-1.4.9.exe' gpg: Signature made 03/26/08 12:51:54 using RSA key ID 1CE0C630 gpg: using PGP trust model gpg: Good signature from "Werner Koch (dist sig) <dd...@gnu.org>" gpg: binary signature, digest algorithm SHA1 Your #3 comment is confusing. There is no .SIG to download if verifying with sha1sum. You run sha1sum against the file you wish to verify and compare the program output with the published value. Are you proposing some MITM attack of a replaced installer executable with an /identical/ SHA-1 value? sha1sum and md5sum are widely available as source. If you're so committed to this verified and signed thing that you're unwilling to trust anything, you probably should look into building some things of your own. sha1sum is available as source and/or windows executable along with the respective digital signatures from ftp://ftp.gnupg.org/gcrypt/binary/ Sooner or later you have to establish a base trust. OH! Maybe you could use an eval version of PGP to verify the cryptographic signature on the GnuPG installer. Of course that probably hinges on its installer being a Windows signed-executable right? ;-) Links discussed in this message: Installer: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe Installer signature ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe.sig SHA-1 checksum for Installer c2efad983dfe50e6d8007257bad2c76604be389a gnupg-w32cli-1.4.9.exe > P.S. Please CC: me on the reply if possible. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
