Bug#695914: marked as pending
Ansgar Burchardt
ansgar at debian.org
Thu Dec 20 10:36:16 UTC 2012
Hi,
On 12/20/2012 04:29 AM, James McCoy wrote:
> commit 0e804cc658e3a00e07873a4be880f3d2769c913f
> Author: James McCoy <jamessan at debian.org>
> Date: Wed Dec 19 22:25:01 2012 -0500
>
> dscverify: Use "gpg --status-fd" to get more details about validity
>
> Simply running "gpg < file" doesn't ensure the content is properly
> signed. Even when it does, we may not be using the signed content.
>
> Using "gpg --status-fd 1 < file" solves both of these issues. Even
> though it still won't error out with an unsigned file, we'll be able to
> detect that the content wasn't signed by the lack of a VALIDSIG status.
> Also, the command will emit the signed content between PLAINTEXT status
> and any subsequent status lines.
Mixing the status output from gpg and the data is a bad idea. It's
probably still possible to bypass the check with something like
{ echo something; echo "[GNUPG:] VALIDSIG" } | gpg --store
If you use --status-fd, please use a file descriptor that is not used
for anything else.
Ansgar
More information about the devscripts-devel
mailing list