Security Concern: Unsigned Windows Executable

John Clizbe John at Mozilla-Enigmail.org
Tue Jun 2 12:26:01 CEST 2009 

Doug Bateman wrote:
> I challenged myself to verify all software that I download on my new
> machine is verified and signed.  Sadly, Win-GnuPG let me down.  Heres why.

What's Win-GnuPG? Are you referring to the windows installer build of
GnuPG from http://www.gnupg.org/download/ as such? It's just GnuPG.

> Most software was distributed as a signed .exe file (using the Windows
> signed .EXE format).  Some was not signed, but available via an https
> connection, allowing me to verify the originating source.  And some,
> such as Gygwin, WinGnuPG, and sha1sum, required I already have GnuPG or
> sha1sum already installed to verify the .sig.  Of course, this creates a
> bootstrapping problem for several reasons: 1) These .exe's aren't signed
> windows .exe's, 2) They aren't available via https (and thus can't
> ensure there isnt' a man-in-the middle), and 3) Even if I had sha1sum,
> I'd have to use http and not https to download the .sig file, allowing
> for the man-in-the-middle to deliver a checksum matching his hacked version.
> 
> Using GnuPG to verify downloads does nothing, if I can't verify that
> GnuPG itself isn't valid.

I believe the Windows signed .EXE format is X.509 cert based and as such
isn't going to help much if the signing certificate doesn't chain back
to Windows set of root certs. COTS products will probably invest the
money to implement this, it's unlikely for F/OSS. It also assumes the
Microsoft technology to create Authenticode signatures is available to
F/OSS developers.

Your MITM scenarios leave out the crucial step of your attacker also
needing to possess Werner Koch's signing key. The .SIG is not just a
checksum, it is a digital signature. The verification looks like this:

    $ gpg -v gnupg-w32cli-1.4.9.exe.sig
    gpg: assuming signed data in `gnupg-w32cli-1.4.9.exe'
    gpg: Signature made 03/26/08 12:51:54 using RSA key ID 1CE0C630
    gpg: using PGP trust model
    gpg: Good signature from "Werner Koch (dist sig) <dd9jn at gnu.org>"
    gpg: binary signature, digest algorithm SHA1

Your #3 comment is confusing. There is no .SIG to download if verifying
with sha1sum. You run sha1sum against the file you wish to verify and
compare the program output with the published value.

Are you proposing some MITM attack of a replaced installer executable
with an /identical/ SHA-1 value?

sha1sum and md5sum are widely available as source.  If you're so
committed to this verified and signed thing that you're unwilling to
trust anything, you probably should look into building some things of
your own.

sha1sum is available as source and/or windows executable along  with the
respective digital signatures from ftp://ftp.gnupg.org/gcrypt/binary/

Sooner or later you have to establish a base trust.

OH! Maybe you could use an eval version of PGP to verify the
cryptographic signature on the GnuPG installer. Of course that probably
hinges on its installer being a Windows signed-executable right? ;-)

Links discussed in this message:
Installer:
    ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe

Installer signature
    ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe.sig

SHA-1 checksum for Installer
    c2efad983dfe50e6d8007257bad2c76604be389a  gnupg-w32cli-1.4.9.exe

> P.S.  Please CC: me on the reply if possible.

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090602/906c56c6/attachment.pgp>

More information about the Gnupg-users mailing list