gpg: Make the use of "--verify FILE" for detached sigs harder.

* g10/openfile.c (open_sigfile): Factor some code out to ... (get_matching_datafile): new function. * g10/plaintext.c (hash_datafiles): Do not try to find matching file in batch mode. * g10/mainproc.c (check_sig_and_print): Print a warning if a possibly matching data file is not used by a standard signatures. -- Allowing to use the abbreviated form for detached signatures is a long standing bug which has only been noticed by the public with the release of 2.1.0. :-( What we do is to remove the ability to check detached signature in --batch using the one file abbreviated mode. This should exhibit problems in scripts which use this insecure practice. We also print a warning if a matching data file exists but was not considered because the detached signature was actually a standard signature: gpgv: Good signature from "Werner Koch (dist sig)" gpgv: WARNING: not a detached signature; \ file 'gnupg-2.1.0.tar.bz2' was NOT verified! We can only print a warning because it is possible that a standard signature is indeed to be verified but by coincidence a file with a matching name is stored alongside the standard signature. Reported-by: Simon Nicolussi (to gnupg-users on Nov 7) Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2014-11-13 17:39:31 +01:00 · 2014-11-13 17:39:31 +01:00 · 69384568f6
commit 69384568f6
parent 22748338da
5 changed files with 125 additions and 51 deletions
--- a/g10/openfile.c
+++ b/g10/openfile.c
@ -310,40 +310,64 @@ open_outfile (int inp_fd, const char *iname, int mode, int restrictedperm,
 }


+/* Find a matching data file for the signature file SIGFILENAME and
+   return it as a malloced string.  If no matching data file is found,
+   return NULL.  */
+char *
+get_matching_datafile (const char *sigfilename)
+{
+  char *fname = NULL;
+  size_t len;
+
+  if (iobuf_is_pipe_filename (sigfilename))
+    return NULL;
+
+  len = strlen (sigfilename);
+  if (len > 4
+      && (!strcmp (sigfilename + len - 4, EXTSEP_S "sig")
+          || (len > 5 && !strcmp(sigfilename + len - 5, EXTSEP_S "sign"))
+          || !strcmp(sigfilename + len - 4, EXTSEP_S "asc")))
+    {
+
+      fname = xstrdup (sigfilename);
+      fname[len-(fname[len-1]=='n'?5:4)] = 0 ;
+      if (access (fname, R_OK ))
+        {
+          /* Not found or other error.  */
+          xfree (fname);
+          fname = NULL;
+        }
+    }
+
+  return fname;
+}
+
+
 /*
 * Try to open a file without the extension ".sig" or ".asc"
 * Return NULL if such a file is not available.
 */
-IOBUF
-open_sigfile( const char *iname, progress_filter_context_t *pfx )
+iobuf_t
+open_sigfile (const char *sigfilename, progress_filter_context_t *pfx)
 {
-  IOBUF a = NULL;
-  size_t len;
+  iobuf_t a = NULL;
+  char *buf;

-  if (!iobuf_is_pipe_filename (iname))
+  buf = get_matching_datafile (sigfilename);
+  if (buf)
    {
-      len = strlen(iname);
-      if( len > 4 && (!strcmp(iname + len - 4, EXTSEP_S "sig")
-                      || (len > 5 && !strcmp(iname + len - 5, EXTSEP_S "sign"))
-                      || !strcmp(iname + len - 4, EXTSEP_S "asc")))
+      a = iobuf_open (buf);
+      if (a && is_secured_file (iobuf_get_fd (a)))
        {
-          char *buf;
-
-          buf = xstrdup(iname);
-          buf[len-(buf[len-1]=='n'?5:4)] = 0 ;
-          a = iobuf_open( buf );
-          if (a && is_secured_file (iobuf_get_fd (a)))
-            {
-              iobuf_close (a);
-              a = NULL;
-              gpg_err_set_errno (EPERM);
-            }
-          if (a && opt.verbose)
-            log_info (_("assuming signed data in '%s'\n"), buf);
-          if (a && pfx)
-            handle_progress (pfx, a, buf);
-          xfree (buf);
-	}
+          iobuf_close (a);
+          a = NULL;
+          gpg_err_set_errno (EPERM);
+        }
+      if (a)
+        log_info (_("assuming signed data in '%s'\n"), buf);
+      if (a && pfx)
+        handle_progress (pfx, a, buf);
+      xfree (buf);
    }

  return a;