Expected behaviour setting TOFU policy

Konstantin Ryabitsev konstantin at linuxfoundation.org
Thu Feb 15 23:20:14 CET 2018 

Hi, all:

I am not sure if what I am experiencing is expected TOFU behaviour or 
not, and I'm hoping someone can help me figure that out. I'll show on a 
live example (skipping irrelevant output).
This is gnupg-2.2.4 on Fedora 26.

  [user at disp1132 ~]$ export GNUPGHOME=$(mktemp -d)
  [user at disp1132 ~]$ gpg2 --locate-keys gregkh at kernel.org
  [user at disp1132 ~]$ curl -O https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.3
  [user at disp1132 ~]$ curl -O https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.3.sign
  [user at disp1132 ~]$ gpg2 --verify ChangeLog-4.15.3.sign
  gpg: assuming signed data in 'ChangeLog-4.15.3'
  gpg: Signature made Mon Feb 12 01:07:40 2018 EST
  gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
  gpg: Good signature from "Greg Kroah-Hartman <gregkh at kernel.org>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

Since there is no exiting TOFU db, that's expected output, right? The trust
model guesser decides we're using the PGP model. So, let's create tofu.db by
setting tofu-policy to good on Greg's key:

  [user at disp1132 ~]$ gpg2 --tofu-policy good 647F28654894E3BD457199BE38DBBDC86092693E
  gpg: Setting TOFU trust policy for new binding <key: 647F28654894E3BD457199BE38DBBDC86092693E, user id: Greg Kroah-Hartman <gregkh at kernel.org>> to good.
  [user at disp1132 ~]$ gpg2 --check-trustdb
  gpg: no ultimately trusted keys found

Here is where I get unexpected result rerunning the --verify command, 
which I expected to return a different result:

  [user at disp1132 ~]$ gpg2 --verify ChangeLog-4.15.3.sign 
  gpg: assuming signed data in 'ChangeLog-4.15.3'
  gpg: Signature made Mon Feb 12 01:07:40 2018 EST
  gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
  gpg: Good signature from "Greg Kroah-Hartman <gregkh at kernel.org>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

Same as before. Since I have tofu.db now, the trust-model should have
switched to tofu+pgp, no?

  [user at disp1132 ~]$ ls $GNUPGHOME
  crls.d  private-keys-v1.d  pubring.kbx  pubring.kbx~  tofu.db  trustdb.gpg

At least, if I set trust-model on the command line, I get the TOFU output I
expect:

  [user at disp1132 ~]$ gpg2 --trust-model tofu+pgp --verify ChangeLog-4.15.3.sign 
  gpg: assuming signed data in 'ChangeLog-4.15.3'
  gpg: Signature made Mon Feb 12 01:07:40 2018 EST
  gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
  gpg: checking the trustdb
  gpg: no ultimately trusted keys found
  gpg: Good signature from "Greg Kroah-Hartman <gregkh at kernel.org>" [full]
  gpg: gregkh at kernel.org: Verified 1 signature in the past 0 seconds.  Encrypted
	   0 messages.

But wait, now I can omit --trust-model from the command line and I get the same
TOFU-based result, implying that trust-model tofu+pgp now sticks, even though
I've modified no config files:

  [user at disp1132 ~]$ gpg2 --verify ChangeLog-4.15.3.sign 
  gpg: assuming signed data in 'ChangeLog-4.15.3'
  gpg: Signature made Mon Feb 12 01:07:40 2018 EST
  gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
  gpg: Good signature from "Greg Kroah-Hartman <gregkh at kernel.org>" [full]
  gpg: gregkh at kernel.org: Verified 1 signature in the past 58 seconds.  Encrypted
	   0 messages.

I'm guessing this is not exactly the expected behaviour?

Best,
Konstantin

More information about the Gnupg-users mailing list