Bug#1042837: Acknowledgement (signify-openbsd: Embedding signature in gz header does not work)

Sun, 05 Nov 2023 08:45:13 -0800 

On 05/11/23 14:46, Nikolaus Rath wrote:
> Hi Thomas,
> 
> On Sun, 5 Nov 2023, at 14:19, Tomasz Buchert wrote:
> > On 01/08/23 17:15, Nikolaus Rath wrote:
> >> Using -x instead of -m when verifying gives "interesting" output:
> >> 
> >> $ signify-openbsd -Vz -p s3ql-5.0.pub -x signed.gz
> >> untrusted comment: verify with s3ql-5.0.pub
> >> RWSKPEtoJRYfrolP1xcoVCAxdIGvBp+I600+z5r4Ckcknx45J4pGrYvhlrWn6WTtwom7mTyjT7epM/oQyhfn/UbuKTR7pjN+0g0=
> >> date=2023-08-01T16:10:04Z
> >> key=s3ql-5.0.sec
> >> algorithm=SHA512/256
> >> blocksize=65536
> >> 
> >> 05b894ec8534324eda46e2c71b2e9cd8c3e6f89432d222d06949076bc5236998
> >> K����e2~⏎                                                                  
> >>                      
> >> 
> >> This terminates with exit code 0... but somehow I'm not convinced that 
> >> signify did the right thing here.
> >> 
> >
> > I checked that signify puts the FCOMMENT section (from RFC) with 
> > the signature and a bunch of other things at the preamble of the
> > signed gz file. The comment ends just after what looks like SHA256,
> > which is then followed by the binary data. The binary data is
> > identical to the main compressed data of the original file.
> >
> > In fact, it seems that the verification of gz files actually just
> > passes through the whole file. The man page implies that:
> >
> >   Verify a gzip pipeline:
> >      $ ftp url | signify-openbsd -Vz -t arc | tar ztf -
> >
> > The behavior seems then intended, but maybe it's not documented enough?
> 
> Sorry, I don't quite follow. The behavior of printing binary garbage to 
> stdout is intended?
> 
> 
> Best,
> -Niko

Hey,

the "binary garbage" you see is actually the exact contents of the gz file for 
which you verify. See:

[ ~/test ] $ cat out.gz | signify-openbsd -Vz -p ~/.ssh/signify.pub | cat > x
[ ~/test ] $ diff x out.gz 

(i.e., out.gz and the output of signify are exactly the same)

This allows to use it cleanly in the shell pipelines as is shown in the manpage.

I think the request in this bug could be to have an option to verify the
signify-signed gz file WITHOUT printing out the gz file to stdout?

Does it make sense?

Tomasz

Attachment: signature.asc
Description: PGP signature

Reply via email to