Improve robustness of signature verification by limiting terms and honoring return codes
Problematic binary data in gpg statusfile
The output of
gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null
or
git verify-commit --raw <commit> 2>&1
may contain binary data, if the signature has been created with an
OpenPGP implementation, that e.g. makes use of notations.
If the notation string (see NOTATION_DATA
in /usr/share/doc/gnupg/
DETAILS) contains a trailing binary char, this will break signature
verification, as any following entry (e.g. VALIDSIG
) will be offset.
As we are only making use of a narrow set of terms from the statusfile
(namely NEWSIG
, GOODSIG
, EXPSIG
, EXPKEYSIG
, REVKEYSIG
,
BADSIG
, ERRSIG
, VALIDSIG
, TRUST_UNDEFINED
, TRUST_NEVER
,
TRUST_MARGINAL
, TRUST_FULLY
, TRUST_ULTIMATE
), we are applying a
filter, so that only understood terms are written to the file.
Checking return codes
Before piping gpg statusfile data into another command we now check the return code of a gpg
call to not mask it with the command we pipe into. This is improved for makepkg and pacman-key
Reproducer for problematic binary data in statusfile
$ git clone https://gitlab.com/sequoia-pgp/sequoia-sq
$ cd sequoia-sq
$ git verify-commit --raw f04eb709c5ba2b4a4474e5aa8b5da29baead0042 2>&1
[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] SIG_ID XFwL/bUQiA6B+Xk4d1Kf9EOybx0 2023-12-15 1702674938
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] GOODSIG 686F55B4AB2B3386 Justus Winter (Code Signing Key) <justus@sequoia-pgp.org>
[GNUPG:] NOTATION_NAME salt@notations.sequoia-pgp.org
[GNUPG:] NOTATION_DATA %14/�iYm7���m�ki9J܆_aB
[GNUPG:] VALIDSIG D1FE45FB978F6B65C4C0B9AA686F55B4AB2B3386 2023-12-15 1702674938 0 4 0 22 10 00 D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
$ git verify-commit --raw 195ef2bf9b218ff4d6f25b1854f9f4558f449672 2>&1
[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] SIG_ID eQIm8a2+2dl6kh/etrEapyvNOzk 2024-01-19 1705671575
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] GOODSIG 686F55B4AB2B3386 Justus Winter (Code Signing Key) <justus@sequoia-pgp.org>
[GNUPG:] NOTATION_NAME salt@notations.sequoia-pgp.org
[GNUPG:] NOTATION_DATA Hw+}/d^�a)%1E3'3Tv_Շ%1Ba@%16�
[GNUPG:] VALIDSIG D1FE45FB978F6B65C4C0B9AA686F55B4AB2B3386 2024-01-19 1705671575 0 4 0 22 10 00 D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD
[GNUPG:] KEY_CONSIDERED D2F2C5D45BE9FDE6A4EE0AAF31855247603831FD 0
[GNUPG:] TRUST_UNDEFINED 0 pgp