Re: unsafe use of gpg

2013-01-13 Thread Timo Weingärtner
Hallo, 2012-12-15 um 17:12:54 schrieb Peter Samuelson: > You're right, in gpgv, it appears you _can't_ suppress the default > keyring, ~/.gnupg/trustedkeys.gpg. So either ensure that this file > does not exist, or set HOME or GNUPGHOME or --homedir to a location > where it will not exist. $ stra

Re: unsafe use of gpg

2012-12-15 Thread Peter Samuelson
[Timo Juhani Lindfors] > Peter Samuelson writes: > > Note that this adds a keyring to the current list. If the intent > > is to use the specified keyring alone, use --keyring along with > > --no-default-keyring. > > You probably read "man gpg" but gpgv is simpler: > > gpgv: Invalid

Re: unsafe use of gpg

2012-12-14 Thread Timo Juhani Lindfors
Peter Samuelson writes: > Note that this adds a keyring to the current list. If the intent > is to use the specified keyring alone, use --keyring along with > --no-default-keyring. You probably read "man gpg" but gpgv is simpler: gpgv: Invalid option "--no-default-keyring" -- To U

Re: unsafe use of gpg

2012-12-14 Thread Peter Samuelson
[Timo Juhani Lindfors] > Is > > /usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig > chmod a+x file > ./file > > still a safe way to ensure that only code signed by a key in trusted.gpg > gets executed? >From the manpage: Note that this adds a keyring to the current l

Re: unsafe use of gpg

2012-12-14 Thread Bernhard R. Link
* Ansgar Burchardt [121214 16:18]: > 2, Not asking gpg to verify signatures: > > I also found packages that call gpg in the form "gpg $file" and expect > gpg to verify the signature on $file and output the signed data. Indeed > it does so for *signed* files, but if you just give it unsigned data

Re: unsafe use of gpg

2012-12-14 Thread Timo Juhani Lindfors
Ansgar Burchardt writes: > I recently looked at several packages using gpg to verify signatures Thanks for your work! Please try to raise this upstream so that they can provide proper interfaces. Is /usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig chmod a+x file ./file

unsafe use of gpg

2012-12-14 Thread Ansgar Burchardt
Hi, I recently looked at several packages using gpg to verify signatures and found ways to circumvent the signature check, see [1] for a few bug reports demonstrating this. [1] So far I have found two diff