[Whonix-devel] gpg-bash-lib - gpg file verification bash library - first public release announcement - 0.5-1

Whonix | Privacy and Anonymity OS newblogpost at whonix.org
Thu Apr 2 15:30:44 CEST 2015

gpg-bash-lib is a gpg file verification bash library, addresses comprehensive threat model, that covers file name tampering, indefinite freeze, rollback, endless data attacks, etc.



Writing bash scripts that do file verification using gpg that really is secure and passes a comprehensive threat model, that covers indefinite freeze, rollback, endless data attacks, etc. is hard.

gpg-bash-lib's goal is to provide a bash library that we can collaboratively develop, audit and abstract the hard work into reuseable functions.

Checking gpg exit codes only is insufficient. Quote Werner Koch [1] (gnupg lead developer):

"there is no clear distinction between the codes and for proper error reporting you are advised to use the --status-fd messages."

(For a definition of these attacks, see TUF [2] (The Update Framework)'s [3] threat model [4] [5].)

Mini Demo:
After installation, if you would run the following command.


You would see the following output.

your_script_begin: ...
verification: BEGIN
verification: END
your_script_output: BEGIN
gpg_bash_lib_output_failure_status: false
gpg_bash_lib_output_gpg_verify_exit_code: 0
gpg_bash_lib_output_goodsig_status: true
gpg_bash_lib_output_validsig_status: true
gpg_bash_lib_output_fingerprint_in_hex: 5E08605EBEA0FE88695DCB88FD0A8B4171DFE4E4
gpg_bash_lib_output_signed_on_unixtime: 1422049448
gpg_bash_lib_output_signed_on_date: March 01 13:56:27 UTC 2015
gpg_bash_lib_output_notation[$file at name]: test-file
gpg_bash_lib_output_file_name_tampering: false
gpg_bash_lib_output_freshness_status: true
gpg_bash_lib_output_freshness_detail: current
- Freshness: Signature is current.
- valid-max: Signatures are valid up to 30 days.
- Signature Creation Date: March 01 13:56:27 UTC 2015
- Current System Date    : March 02 16:0:55 UTC 2015
- Local System Clock: Your clock seems okay.
- Relative Signature Creation Time: According to your system clock, signature was created 2 days 26 minutes 3 seconds ago.
gpg_bash_lib_output_alright_status: true
your_script_output: END

All information (Signature Creation Date, etc.) are easily accessible through separate variables, which are all documented.


Usage examples:

Main code file:

Specifically, does the status-fd parsing code look sane?

Could you leave some feedback please?

Anyone else interested to contribute?

[1] http://lists.gnupg.org/pipermail/gnupg-devel/2005-December/022559.html
[2] https://www.updateframework.com/
[3] https://github.com/theupdateframework/tuf
[4] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
[5] http://www.webcitation.org/6F7Io2ncN

This post has been automatically cross-posted by whonix.org/blog To see the original (including links), go to https://www.whonix.org/blog/gpg-bash-verification-library

More information about the Whonix-devel mailing list