-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check that GnuPG key import was successful. #148
Conversation
Rather than checking the GnuPG process exit code, a more robust way to handle determining whether or not a GnuPG process behaved as was intended is to check GnuPG's status-fd output. [0] In the case of key import, the particular status-fd flag we're looking for is `IMPORT_OK` followed by a "reason", then the expected fingerprint. [1] Because the "reason"s are integers which may be ORed, and we are never expecting private keys to be within the file, we can assume the reason to be `[0, 15]` inclusive. While it's not strictly necessary to hardcode Erinn's key fingerprint within the code because the keyfiles are safely distributed along with the source code, doing so adds a simple defense-in-depth mechanism for the unlikely case that a user's torbrowser-launcher package/source download was compromised. As such, and because it was a trivial addition which will also assist with checking that a signature was made by the key with the expected fingerprint [2], I've gone ahead and added a `common.fingerprints` dictionary whose keys match the names of the `common.paths` keyfile for their respective key (i.e. the fingerprint for `common.paths['erinn_key']` is stored at `common.fingerprints['erinn_key']`) in order to facilitate extensibility in the event that torbrowser-launcher should add new keyfiles in the future. This may be removed, if undesirable. * ADD `common.gnupg_import_ok_pattern`, a compiled regex for determining if a key import was successful. * ADD new class attribute, `common.Common.fingerprints` for storing fingerprints. * ADD new method, `common.Common.import_key_and_check_status()`, which imports a GnuPG key, and then checks that the key was successfully imported. * CHANGE `common.Common.import_keys()` method to make adding new/additional keys easier. * FIXES torproject#137 [0]: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l323 [1]: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=HEAD#l713 [2]: torproject#147
* ADDS two compiled regexes, `launcher.gnupg_goodsig_pattern` and `launcher.gnupg_validsig_pattern`. * CHANGE the signature validity check in `Launcher.verify()` to be more robust and accurate. * ADD check that the signature was created by the key with fingerprint which we expected it to be from. * FIXES torproject#147 NOTE: This patch depends upon some of the changes in my previous patch for issue torproject#137 (pull request torproject#148) in commit b337b3d.
Ah, someone should also check if this works on Windows. Sometimes parts of the Python |
Thank you @isislovecruft! Sorry for taking so long, reviewing and merging now. |
If I delete all of the TBL files (
However the key does indeed get imported successfully, and it verifies the signature successfully after downloading TBB. If I run
It looks like when I run it just after deleting all of the TBL files, this is the output:
And when I run it a second time, this is the output:
I think the regex is only checking the first line of output, not the first "[GNUPG:]" line. |
A year and a half late merging a pull request is better than never, right? |
Rather than checking the GnuPG process exit code, a more robust way to
handle determining whether or not a GnuPG process behaved as was
intended is to check GnuPG's status-fd output. 0
In the case of key import, the particular status-fd flag we're looking
for is
IMPORT_OK
followed by a "reason", then the expectedfingerprint. 1 Because the "reason"s are integers which may be ORed,
and we are never expecting private keys to be within the file, we can
assume the reason to be
[0, 15]
inclusive.While it's not strictly necessary to hardcode Erinn's key fingerprint
within the code because the keyfiles are safely distributed along with
the source code, doing so adds a simple defense-in-depth mechanism for
the unlikely case that a user's torbrowser-launcher package/source
download was compromised. As such, and because it was a trivial
addition which will also assist with checking that a signature was made
by the key with the expected fingerprint 2, I've gone ahead and added
a
common.fingerprints
dictionary whose keys match the names of thecommon.paths
keyfile for their respective key (i.e. the fingerprintfor
common.paths['erinn_key']
is stored atcommon.fingerprints['erinn_key']
) in order to facilitate extensibilityin the event that torbrowser-launcher should add new keyfiles in the
future. This may be removed, if undesirable.
common.gnupg_import_ok_pattern
, a compiled regex fordetermining if a key import was successful.
common.Common.fingerprints
for storingfingerprints.
common.Common.import_key_and_check_status()
, whichimports a GnuPG key, and then checks that the key was successfully
imported.
common.Common.import_keys()
method to make addingnew/additional keys easier.