Hi,
On Mon, 23 Jul 2007, Carlos Rica wrote:
> 2007/7/23, Johannes Schindelin <Johannes.Schindelin@xxxxxx>:
> > On Mon, 23 Jul 2007, Carlos Rica wrote:
> > > +static int run_gpg_verify(const char *buf, unsigned long size, int
> > verbose)
> > > +{
> > > + struct child_process gpg;
> > > + const char *args_gpg[] = {"gpg", "--verify", "FILE", "-", NULL};
> > > + char *path, *eol;
> > > + size_t len;
> > > + int fd, ret;
> > > +
> > > + path = xstrdup(git_path("VTAG_TMP"));
> > > + fd = open(path, O_CREAT | O_TRUNC | O_WRONLY, 0600);
> > > + if (fd < 0)
> > > + return error("could not create temporary file '%s': %s",
> > > + path, strerror(errno));
> > > + if (write_in_full(fd, buf, size) < 0)
> > > + return error("failed writing temporary file '%s': %s",
> > > + path, strerror(errno));
> > > + close(fd);
> >
> > I just tested something like "gpg --verify - - < <filename>" and it
> > worked...
>
> I couldn't verify tags using "gpg --verify - - <file" as you
> pointed in your response.
As discussed on IRC, my test did not use a detached signature, while tags
_do_ use a detached signature.
Oh, well. I retract my suggestion. But I slightly disagree that having
to write a temporary file is good for security, as the gpg man page
suggests:
--verify [[sigfile] [signed-files]]
[...] To read the signed stuff from stdin, use - as the second
filename. For security reasons a detached signature cannot read
the signed material from stdin without denoting it in the above
way.
So we have to live, or die, with the temporary file.
Just one request: please use lock_file, to prevent multiple instances from
getting confused... Even if that cannot be 100% secure: if you write to
the file, and only then start gpg, there is still the odd chance for an
attacker. Even if you created the file with 0600 (very wise, BTW).
Ciao,
Dscho
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
