[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Jan 21 20:07:32 UTC 2011
#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
Reporter: rransom | Owner: rransom
Type: defect | Status: needs_review
Priority: critical | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
--------------------------------------+-------------------------------------
Comment(by dkg):
i notice that you are [https://www.torproject.org/docs/debian.html.en
already doing the right thing with respect to debian and ubuntu], but you
aren't protected against version-rollback attacks there either. the
[http://deb.torproject.org/torproject.org/dists/sid/Release.gpg
`Release.gpg`] file doesn't have a signature expiration subpacket in it,
and the [http://deb.torproject.org/torproject.org/dists/sid/Release
`Release`] file doesn't have a `Valid-Until` header (i only checked your
sid repo -- maybe this isn't true for the other ones).
If you are using reprepro to maintain that repo, and you want to add the
`Valid-Until:` header, add a line to the relevant stanzas in
`conf/distributions` (replace `14d` with your preferred expiration time):
{{{
ValidFor: 14d
}}}
If you want to make the signatures themselves expire, you'll need to tweak
`gpg.conf` for whoever handles the archive-signing key (or make a new
`$GNUPGHOME` and tweak the `gpg.conf` there) by adding a line like:
{{{
default-sig-expire 14d
}}}
sorry i can't help you more with the proprietary operating systems.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list