DSA GnuPG signatures

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DSA GnuPG signatures

From:	Vladimir 'φ-coder/phcoder' Serbinenko
Subject:	DSA GnuPG signatures
Date:	Fri, 11 Jan 2013 21:54:22 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121122 Icedove/10.0.11

Hello, all. I've just committed import of libgcrypt and implementation
of related code to check signatures. Short usage:
verify_detached FILE FILE.sig [pubkey.gpg]
trust KEY.gpg
distruct KEYID
check_signatures=[enforce|no]

grub-mkimage -k KEY gcry_dsa verify [...]

When check_signatures=enforce every time anthing tries to open a file
its signature (file.sig) is looked for and the open fails if signature
is absent or invalid.
Some limitations:
1) DSA keys only. RSA is more tricky since it needs padding and RSA
should be progressively phased out, not put into new places due to some
vulnerabilities (large classes of semiprimes are factorisable up to the
point when a lot of care has to be taken to avoid them).
2) Not efficient. Checking every file is slow. Some hashlists should be
implemented.
3) Not efficient. File is read twice though it's avoidable in many cases.
-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

DSA GnuPG signatures, Vladimir 'φ-coder/phcoder' Serbinenko <=
- Re: DSA GnuPG signatures, Colin Watson, 2013/01/11
  - Re: DSA GnuPG signatures, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/01/11
- Re: DSA GnuPG signatures, Andrey Borzenkov, 2013/01/13
  - Re: DSA GnuPG signatures, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/01/13
- Re: DSA GnuPG signatures, Andrey Borzenkov, 2013/01/31

Prev by Date: Re: [PATCH] Removing nested functions, part one of lots
Next by Date: Re: DSA GnuPG signatures
Previous by thread: Detecting running platform (specifically EFI) during runtime?
Next by thread: Re: DSA GnuPG signatures
Index(es):
- Date
- Thread