[Whonix-devel] gpg-bash-lib - gpg file verification bash library - first public release announcement - 0.5-1
Whonix | Privacy and Anonymity OS
newblogpost at whonix.org
Thu Apr 2 15:30:44 CEST 2015
gpg-bash-lib is a gpg file verification bash library, addresses comprehensive threat model, that covers file name tampering, indefinite freeze, rollback, endless data attacks, etc.
Writing bash scripts that do file verification using gpg that really is secure and passes a comprehensive threat model, that covers indefinite freeze, rollback, endless data attacks, etc. is hard.
gpg-bash-lib's goal is to provide a bash library that we can collaboratively develop, audit and abstract the hard work into reuseable functions.
Checking gpg exit codes only is insufficient. Quote Werner Koch  (gnupg lead developer):
"there is no clear distinction between the codes and for proper error reporting you are advised to use the --status-fd messages."
(For a definition of these attacks, see TUF  (The Update Framework)'s  threat model  .)
After installation, if you would run the following command.
You would see the following output.
gpg_bash_lib_output_signed_on_date: March 01 13:56:27 UTC 2015
gpg_bash_lib_output_notation[$file at name]: test-file
- Freshness: Signature is current.
- valid-max: Signatures are valid up to 30 days.
- Signature Creation Date: March 01 13:56:27 UTC 2015
- Current System Date : March 02 16:0:55 UTC 2015
- Local System Clock: Your clock seems okay.
- Relative Signature Creation Time: According to your system clock, signature was created 2 days 26 minutes 3 seconds ago.
All information (Signature Creation Date, etc.) are easily accessible through separate variables, which are all documented.
Main code file:
Specifically, does the status-fd parsing code look sane?
Could you leave some feedback please?
Anyone else interested to contribute?
This post has been automatically cross-posted by whonix.org/blog To see the original (including links), go to https://www.whonix.org/blog/gpg-bash-verification-library
More information about the Whonix-devel