Re: signing source code with gpg
On Wed, 14 Mar 2007 22:32, [EMAIL PROTECTED] said: > Now seems like a good time to ask for an option like: > > --require-sig-from [ ...] > > to make sure sigs are only from particular signers. You can do the same by using gpgv it verifies only if the key is in a special keyring. I am not sure whether adding the suggested option is really a good idea. Other folks will come and demand further customization. > As an add-on to the FreeBSD ports system, I've already had to employ > --status-fd to make sure I get a signature from an expected signer: Scripts are the way we do it in Unix ;-) Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, Mar 14, 2007 at 06:42:48PM +0100, Werner Koch wrote: > On Wed, 14 Mar 2007 18:06, [EMAIL PROTECTED] said: > > revision control system changes the content of the files it will > > invalidate the signature. I've read opinions that keyword expansion is deprecated, and seeing things like: $MBSDlabs: portmk/bsd.ocaml.mk,v 1.18 2006/08/06 18:47:23 stas Exp $ $FreeBSD: ports/Mk/bsd.ocaml.mk,v 1.1 2007/03/14 04:05:25 linimon Exp $ makes me tend to agree. While this shows the origin of the file in multiple repositories, does it really help the upstream author when merging patches from downstream? Also, CVS (and probably other systems) doesn't update keywords until after a checkin+checkout cycle, so any signatures you [re]generate before the next checkout will be[come] broken. Thus, using keyword expansion means you have to trust the server to give back your files with hopefully only the keywords modified before you can [re-]sign them. Of course, this requires two checkins and is particularly noticeable (i.e., ugly) and even more problematic (i.e., "The sigs are broken in -r5, get -r6.") on newer systems with atomic commits that would otherwise prevent this (keyword-expansion-race) problem. > FWIW, I use this with some files and Subversion: > > # Note: The subversion copy of this file carries a gpg:signature > # property with its OpenPGP signature. Check this signature before > # adding entries: > # f=foo; svn pg gpg:signature $f | gpg --verify - $f > # to create a new signature: > # f=foo; gpg -sba $f && svn ps gpg:signature -F $f.asc $f Finally! :) But (for those who may be unaware), unfortunately this will allow valid sigs from _any key_ you happen to have in _any of the keyrings_ GPG accesses during this step. Now seems like a good time to ask for an option like: --require-sig-from [ ...] to make sure sigs are only from particular signers. As an add-on to the FreeBSD ports system, I've already had to employ --status-fd to make sure I get a signature from an expected signer: ===> Verifying PGP signature gnupg-1.4.7.tar.bz2.sig gpg: assuming signed data in `/usr/ports/distfiles//gnupg-1.4.7.tar.bz2' gpg: Signature made Mon Mar 5 04:54:17 2007 EST using RSA key ID 1CE0C630 gpg: please do a --check-trustdb gpg: Good signature from "Werner Koch (dist sig) <[EMAIL PROTECTED]>" Primary key fingerprint: 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630 gpg: binary signature, digest algorithm SHA1 ===> Valid sig. from expected ID 0x7B96D396E6471601754BE4DB53B620D01CE0C630. versus a key ID that differs even by only one bit: ===> Verifying PGP signature gnupg-1.4.7.tar.bz2.sig gpg: assuming signed data in `/usr/ports/distfiles//gnupg-1.4.7.tar.bz2' gpg: Signature made Mon Mar 5 04:54:17 2007 EST using RSA key ID 1CE0C630 gpg: please do a --check-trustdb gpg: Good signature from "Werner Koch (dist sig) <[EMAIL PROTECTED]>" Primary key fingerprint: 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630 gpg: binary signature, digest algorithm SHA1 => error: File wasn't signed by ID 0x7B96D396E6471601754BE4DB53B620D01CE0C631. => error: Make sure sigs. from ID 0x7B96D396E6471601754BE4DB53B620D01CE0C630 => error: are legitimate before adjusting FP_SIG_000 in Makefile.csig *** Error code 1 or several expected signers: ===> Verifying PGP signature subversion-1.4.3.tar.bz2.asc gpg: armor header: Version: GnuPG v1.4.5 (Cygwin) gpg: armor header: Version: GnuPG v1.4.3 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.5 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.6 (Darwin) gpg: assuming signed data in `/usr/ports/distfiles/subversion/subversion-1.4.3.tar.bz2' [snip] ===> Valid sig. from expected ID 0x03341CF464A23E9416E76B1EA1FCE25133D38008 23885E64C64E981E4884834D7C535299C0F2C580 332480DA0F8CA37DAEE6D0840B03AE6E4E24517C 3C016F2B764621BB549C66B516A96495E2226795 AAFF6033364F02BB1239907567D9B249674F05E0. (As implemented, this requires at least one VALIDSIG from every fingerprint in the list.) NB: This facilitates [re]fetching the key(s) in advance of the signature check to help catch any revocations _and_ removes the need to --[l]sign keys to "memorize" them as "expected" signers and/or to juggle keyrings, esp. with gpgv. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpGXUVk6xNCI.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, 14 Mar 2007 18:06, [EMAIL PROTECTED] said: > revision control system changes the content of the files it will > invalidate the signature. FWIW, I use this with some files and Subversion: # Note: The subversion copy of this file carries a gpg:signature # property with its OpenPGP signature. Check this signature before # adding entries: # f=foo; svn pg gpg:signature $f | gpg --verify - $f # to create a new signature: # f=foo; gpg -sba $f && svn ps gpg:signature -F $f.asc $f Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, 14 Mar 2007 18:02, [EMAIL PROTECTED] said: > two factors it's really just way better to --detach-sign the code. I 100% agree. The problem with non-detached signatuires is that it is very hard to know what you exactly signed. Having two files makes it obvious what is the signature and what is the signed data. And there is no need to change the data in any way. Shalom-Salam, Werner p.s. In this regard PGP/MIME message (not using the combined option) are also better and any other way to sign mails. That is also why you should never use the inline PDF signatures - a separate signature file is far better. Only XML signatures are worde than inline PDF signatures. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
In this case a detached signature would be your best bet. You would check the detached sig in with the source code. When the source is checked out, you could then validate that the source has not changed since it was signed. Be careful, though, if you use any embedded keywords with your revision control system ($Id$, et al). If the revision control system changes the content of the files it will invalidate the signature. -Joe On Mar 12, 2007, at 7:02 PM, Nathan Smith wrote: Does anyone know if there's a solution to signing source code (using gpg), in a way which will still allow the source code to function. For example for a Java file if the GPG signature code be placed within the comments embedded within the Java source (ie /* */ ), of within XML comments (ie ) for an XML file. We are trying to impliment a source signing policy at our company, where a developers source code is signed before it is checked into our source control system. But of course, the source must still be able to compile, and signing must not effect the functionality of the source. Thanks.. Nate -- View this message in context: http://www.nabble.com/signing-source- code-with-gpg-tf3393462.html#a9447180 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 There are certainly some hacks you could try out, but they would be somewhat error-prone. The easiest and most secure way to go about this would probably be to --detach-sign instead of doing a cleartext signature. If you require a cleartext signature, reconsider your design. If you still require a cleartext signature, _reconsider your design_. If you _still_ require a cleartext signature, here's something that would clearsign a (slightly modified) Java file and still compile: echo "/*" > startcomment.tmp echo "*/" > endcomment.tmp cat endcomment.tmp HelloWorld.java startcomment.tmp | \ gpg --not-dash-escaped --no-escape-from-lines --clearsign | \ cat startcomment.tmp - endcomment.tmp > HelloWorld.signed.java The signed part itself is not valid Java, but the result of the message after signing is. If you were to actually use this, anyone who verifies your code will be required to make sure nothing substantive occurs before or after the signed part (i.e., nothing before the start line except /* and nothing after the end line except */); it would be easy to sneak in some bad code. Additionally, your verifiers would need GnuPG to verify since the NotDashEscaped extension is included. Between these two factors it's really just way better to --detach-sign the code. HTH PSM Nathan Smith wrote: > Does anyone know if there's a solution to signing source code (using gpg), in > a way which will still allow the source code to function. For example for a > Java file if the GPG signature code be placed within the comments embedded > within the Java source (ie /* */ ), of within XML comments (ie ) > for an XML file. We are trying to impliment a source signing policy at our > company, where a developers source code is signed before it is checked into > our source control system. But of course, the source must still be able to > compile, and signing must not effect the functionality of the source. > Thanks.. Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+CqVei6R+3iF2vwRCu8eAJ4syVjBDxg/QHlSUiUAF/oI6gpwfgCeKbhl v3wwib/RPRWchIT7BUEn7Xk= =RJd8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
signing source code with gpg
Does anyone know if there's a solution to signing source code (using gpg), in a way which will still allow the source code to function. For example for a Java file if the GPG signature code be placed within the comments embedded within the Java source (ie /* */ ), of within XML comments (ie ) for an XML file. We are trying to impliment a source signing policy at our company, where a developers source code is signed before it is checked into our source control system. But of course, the source must still be able to compile, and signing must not effect the functionality of the source. Thanks.. Nate -- View this message in context: http://www.nabble.com/signing-source-code-with-gpg-tf3393462.html#a9447180 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
