|
From: | Jim Hyslop |
Subject: | Re: [task #4633] GPG-Signed Commits |
Date: | Wed, 21 Sep 2005 12:19:18 -0400 |
User-agent: | Mozilla Thunderbird 1.0.6 (Windows/20050716) |
Derek Price wrote:
Jim Hyslop wrote:
How about if CVS/Base contains the revision exactly as stored in the RCS file (which will then allow the RCS keywords to be included in the signature), and the server also sends a patch that expands the keyword, which would be stored in a separate file, such as .#filename.revision.kwd. Since these files contain only the patches required (if any) to expand RCS keywords, the files will be fairly small. Thoughts?This was my original design actually, before I noticed the exploit, and this is exactly the situation that can be exploited. The point is that the server supplies the content of that keyword file and not all of it can be signed, so the content of your keyword info file, once substituted into the verified file, could compromise it.
Either way, if the server is compromised, the local file ends up containing the exploit.
However, there is a difference: if CVS/Base contains the expanded keywords, then there is absolutely no way for me to validate the signature on my local copy of the file. If, on the other hand, CVS/Base contains the exact file as checked in by the user, I can validate the signature, and examine the keyword patch file to look for any irregularities. It's not a perfect solution, since I have to examine the keyword file manually, but it gets part way there.
-- Jim
[Prev in Thread] | Current Thread | [Next in Thread] |