audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects

Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]

https://github.com/micahflee/torbrowser-launcher/issues/229

Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.

https://github.com/Whonix/gpg-bash-lib/blob/833da423f8d5e95fc08de1d68a0a544109dadbe4/usr/lib/gpg-bash-lib/modules.d/50_common#L281-L282

However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.

Patrick Schleizer on BloggerPatrick Schleizer on EmailPatrick Schleizer on FacebookPatrick Schleizer on GithubPatrick Schleizer on Twitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in General Security News, Whonix Development News

Notable Replies

Continue the discussion forums.whonix.org

Participants