Re: [PATCH] Fix releasing procedure

[Alexandre Duret-Lutz]

>>> "Gary" == Gary V Vaughan <address@hidden> writes:

[...]

 >> At that point I already know that echo is a built-in (the script has
 >> exited otherwise).  I don't understand how PATH could matter.

 Gary> Where does it exit?  Do you mean when it is reading the passphrase?

Exactly.  I realize that if you missed the `set -e' at the top
of the script, it may look like the script was written while I
was drunk.  I hope things look more sensible once `set -e'
enters the equation: errors are all fatal unless told otherwise.
(And BTW, I'm a teetotal...)

[...]

 >> > Better than PATH fiddling in the environment, it would be good to
 >> > detect bash and use 'builtin echo' (and similar for ksh and zsh).  I
 >> > think you should also call gpg with an absolute path to forestall a
 >> > trojan gpg which could log the passphrase.
 >>
 >> I don't know the absolute path to use, unless I browse PATH.  Maybe
 >> you mean I should allow $GPG to be set by the user?  (This seems as
 >> dangerous as honoring PATH.)

 Gary> It is!  I mean hardcode "GPG=/usr/bin/gpg", and have the
 Gary> sysadmin edit the script or put a link in /usr/bin rather
 Gary> than searching the PATH (implicitly or otherwise).

OK

 >>> I'd be happier using the script if you supported quintuple agent, so
 >>> that if gpg is getting it's passphrase from gpg-agent already, then
 >>> there is no need to save it in the script at all.
 >>
 >> This would be nice.  I've heard about gpg-agent already, but never
 >> used it.  Is there a Debian package for this?  I could not find it.

 Gary> I don't know, I use OSX :-b

Please accept my condolence.  I'm suffering OSX at work too :(

 Gary> Yes it is in debian, and it provides a wrapper that makes
 Gary> gpg query the agent instead of the user.

 Gary> ~    http://packages.debian.org/stable/utils/quintuple-agent

Thank you!  I'll look into it.  (I was searching for gpg-agent.)

 >> > I'm no security expert, and even I've found a couple of
 >> > vulnerabilities.  I have to say that I wouldn't use the script on a
 >> > networked machine as it stands.
 >>
 >> Oh, as far as I'm concerned I wouldn't use gpg on a machine which I
 >> don't fully control.  That may explain our different concerns :)

 Gary> Well, I wouldn't store my private keys on a machine that
 Gary> I don't control, but I would type my passphrase at an
 Gary> agent or gpg binary that I installed.

I wouldn't do this either.  For instance I always use OTPs to
log into my home machine from a remote one.  I have to be
paranoid outside to feel safe at home.  (I was recently
frightened when I discovered that my Mac was equipped with a
remote control application, so the sysadmin could remotely spy
what I do, what I type, or do it for me.)

 >> Whether my passphrase is stored in an agent process or in a shell
 >> variable does not worry me; because to my (limited) knowledge the only
 >> other user that can spy it is root, and root is me.

 Gary> Unless your machine is on the network and has
 Gary> consequently been compromised.  Even root should not be
 Gary> able to get your passphrase (although if he can steal
 Gary> your private key, you are in a bit of a mess already).

Root can read and write the whole physical memory.

Try this as root on the box where you are reading this mail.
# strings /dev/mem | grep 'use OTPs'

Here it displays the two matching lines of this mail (among
other instances) as they appear in emacs when I'm typing them.

I just tried to store a secret passphrase with q-agent, and was
able to retrieve it this way by grepping part of it.  The nice
things with agents is they keep interesting things in memory for
more time than the ordinary processes.  If the memory is marked
secure (gpg and q-agent do that) its even simpler because you
don't have to grep the swap too :)

So unless you control root, storing the passphrase in a shell
variable does not seem less secure than storing it in an agent.
--
Alexandre Duret-Lutz