Hi, > Aaron Tovo <aaront...@gmail.com> hat am 28. Januar 2016 um 06:12 > geschrieben: > I re-downloaded sig file and it still fails the gpg --verify test. > > $ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12 > Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6 > gpg: BAD signature from "Werner Koch (dist sig)" > > Could this be some kind of man-in-the-middle attack? I don't recall > having seen a signature fail like this before. >
If you are really interested in further invesigating it, it seems that this might be useful for you. I haven't checked it yet, though. (1) https://github.com/Whonix/gpg-bash-lib Quote from (1) Why Writing bash scripts that do file verification using gpg that really is secure and passes a comprehensive threat model, that covers indefinite freeze, rollback, endless data attacks, etc. is hard. gpg-bash-lib's goal is to provide a bash library that we can collaboratively develop, audit and abstract the hard work into reuseable functions. Checking gpg exit codes only is insufficient. Quote Werner Koch (gnupg lead developer): "there is no clear distinction between the codes and for proper error reporting you are advised to use the --status-fd messages." What does it do Abstracts file verification into common functions. Allows detecting of stale files, i.e. detection downgrade or indefinite freeze attacks by implementing a valid-until like mechanism. Internally parses gpg's --status-file output. It is signal friendly. Detects endless data attacks, aborts and reports this. Detects indefinite freeze and rollback (downgrade) attacks and reports this. Can help with verification of names of files, that are otherwise not covered by default when using gpg. Provide diagnostic output (variables) that contain information if the local clock is sane by comparing signature creation date with local clock. [...] Introduction It is assumed, that your script downloaded a data file as well as a signature file. A separate folder containing the keys that are supposed to be used for gpg verification, such as for example /usr/share/program-name/signing-keys.d is required as a prerequisite. You can then use this library to do the gpg verification for you. Cheers, Stebe _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users