audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects

Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]

https://github.com/micahflee/torbrowser-launcher/issues/229

Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.

https://github.com/Whonix/gpg-bash-lib/blob/833da423f8d5e95fc08de1d68a0a544109dadbe4/usr/lib/gpg-bash-lib/modules.d/50_common#L281-L282

However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.

Patrick Schleizer on sabbloggerPatrick Schleizer on sabemailPatrick Schleizer on sabfacebookPatrick Schleizer on sabgithubPatrick Schleizer on sabtwitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in General Security News, Whonix Development News

Notable Replies

  1. HulaHoop says:

    Problem fixed in torbrowser launcher: https://twitter.com/micahflee/status/710148540480131072

  2. Patrick says:
    github.com/Whonix/gpg-bash-lib adrelanos

    use gpg --batch mode

    as suggested by @DigitalBrains1 to torbrowser-launcher
    
    https://github.com/micahflee/torbrowser-launcher/issues/229#issuecomment-204942240
    
    changed 1 files with 5 additions and 0 deletions.

Continue the discussion forums.whonix.org

Participants