gpg issues

Robert Collins robertc at robertcollins.net
Tue Feb 14 21:50:05 GMT 2006 

On Tue, 2006-02-14 at 15:04 -0600, John A Meinel wrote:

> You are right that it is a problem with pinentry, but it is how gpg is
> using gpg-agent who is using pinentry.
> Doing:
> 
> echo "foo" | gpg --clearsign
> 
> Fails because pinentry cannot prompt the user
> 
> echo "foo" | gpg --no-use-agent --clearsign
> 
> Does successfully prompt me for a password.
> 
> Do we need a temp dir, or just a temp file? Because by default a temp
> file is created as 0600, so other people can't read it anyway.

open file foo mode 0600
write content to be signed
close file foo
-attacker calls 'mv' and replaces the file with hostile content
gpg opens file foo
gpg signs bad content
gpg writes output file foo.asc
-attacker copies foo.asc and now has your signature on arbitrary data.

> I realize that it isn't *our* bug which is causing this problem. It is a
> bug in some other program (whether it is specifically gpg or pinentry
> doesn't matter, it is still something that I need a workaround for).
> 
> I suppose I could make it a custom hack on my system. Where I create a
> "psuedo-gpg" that creates a temporary file. However, I just tested it,
> and it fails as well.
> 
> Using this fake-gpg.py:
> 
> #!/usr/bin/env python
> """read from sys.stdin into a temporary file, and then have gpg sign it.
> """
> 
> import os, subprocess, sys, tempfile
> 
> t = tempfile.NamedTemporaryFile()
> t.write(sys.stdin.read())
> 
> p = subprocess.Popen(['gpg', '--output', '-', '--clearsign', t.name],
>                 stdout=subprocess.PIPE)
> 
> out, err = p.communicate()
> 
> sys.stdout.write(out)
> sys.exit(p.returncode)
> 
> t.close()
> 
> And then if I just do:
> ./fake-gpg.py
> test<ENTER>
> ^D<ENTER>
> 
> It prompts me for a password correctly, and then does the signature.
> doing
> echo "test" | ./fake-gpg.py
> 
> Fails to prompt, and won't sign.
> 
> So if you don't like the temporary file approach for whatever reason,
> what if I just add an option for:
> 
> gpg_use_temp_file=True
> 
> And then if that is true, it will use a temporary file and '--output -',
> otherwise it will just use stdin for gpg.

I'm ok with a temporary dir. The steps above should show why a temporary
file is unsafe for this use. It seems rather ugly though, and its only
pinentry I've heard of having this issue in ~2.5 years of dealing with
gpg wrappers of various sorts.

> I need some sort of workaround, and I don't think I can easily do it
> with a plugin. Though I guess I can write a plugin for a new GPGStrategy.

You can do that, but I agree that you should not have to.

> I just figured if I'm running into the problem, other people would be as
> well. It isn't like I'm running a custom pinentry or anything.
> 
> So, let me know what you think. I can probably do it either way. One way
> I need to refactor the gpg code so that we can have a nicer way of
> handling the default strategy. (Otherwise, I'll just have a plugin which
> monkey patches GpgStrategy to be my custom class, since it is
> instantiated directly by both cmd_re_sign, and Commit.)
> 
> At this point, if you don't think the gpg code should be re-written,
> I'll just write a plugin which monkey patches GpgStrategy.

I'm concerned that we will open up ourselves to security issues if we
are not extremely careful. I'd *prefer* that you file a bug on pinentry
and see if thats considered problematic by the gpg/pinentry whoever
maintain it folk. But if its by design, then we should handle it
correctly inside bzr. As for the best way to do that, one would be to
have 'gpg_signing_command=pinentry' trigger the use of a custom gpg
strategy, another is to change it for all callers. I'm not sure which is
cleaner at this point, I think you should make that call. I will note
that on systems without good mode control the security risks of
temporary files are much higher, and that should be taken into
consideration when evaluating this.

Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060215/5c6cdfc6/attachment.pgp

More information about the bazaar mailing list