GNU bug report logs - #22883
Trustable "guix pull"

Previous Next

Package: guix;

Reported by: Christopher Allan Webber <cwebber <at> dustycloud.org>

Date: Wed, 2 Mar 2016 18:05:02 UTC

Severity: serious

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mike Gerwitz <mtg <at> gnu.org>
To: Werner Koch <wk <at> gnupg.org>
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus <at> gnupg.org>, neal <at> walfield.org
Subject: bug#22883: Trustable "guix pull"
Date: Sat, 04 Jun 2016 21:43:29 -0400

[Message part 1 (text/plain, inline)]
On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote:
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons.  That output creates a well
> defined API and we try very hard never to break it.
> [...]
> I have never looked into git to check whether git correctly calls gpg
> to verify signatures.  That should eventually be done.

A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer):

It invokes `gpg --status-fd=1 --verify FILE -`, where FILE is a
signature written to a temporary file for the sake of invoking
GPG.  It checks for a non-zero exit code and GOODSIG:

  ret |= !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG ");

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 53 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.