[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects

development

#1

Originally published at: https://www.whonix.org/blog/gpg-signature-verification-bypass
Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]

https://github.com/micahflee/torbrowser-launcher/issues/229

Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.

https://github.com/Whonix/gpg-bash-lib/blob/833da423f8d5e95fc08de1d68a0a544109dadbe4/usr/lib/gpg-bash-lib/modules.d/50_common#L281-L282

However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.


#2

Problem fixed in torbrowser launcher: https://twitter.com/micahflee/status/710148540480131072


#3