audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects

Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]

https://github.com/micahflee/torbrowser-launcher/issues/229

Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.

https://github.com/Whonix/gpg-bash-lib/blob/833da423f8d5e95fc08de1d68a0a544109dadbe4/usr/lib/gpg-bash-lib/modules.d/50_common#L281-L282

However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Notable Replies

Continue the discussion forums.whonix.org

Participants