NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

misc/42383: Developer PGP key signing example is wrong for gpg 1.4.9



>Number:         42383
>Category:       misc
>Synopsis:       Developer PGP key signing example is wrong for gpg 1.4.9
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 27 13:10:00 +0000 2009
>Originator:     Andreas Gustafsson
>Release:        N/A
>Organization:
>Environment:
System: NetBSD guava.gson.org 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 
01:39:11 UTC 2009 
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:

The instructions for signing PGP keys at
http://www.netbsd.org/developers/pgp.html contain the following
example:

  % cat >> moe%doe.org@localhost
  Hi Moe,

  please return this message to me. Please sign and encrypt it.

  Thanks,
  Joe
  ^D
  % dd if=/dev/urandom count=1 | md5 >> moe%doe.org@localhost
  % gpg --armor --encrypt moe%doe.org@localhost > moe%doe.org.asc@localhost

When following this example using GnuPG version 1.4.9, two issues
arise:

1. gpg prompts you with

  You did not specify a user ID. (you may use "-r")

  Current recipients:

Would it not make more sense to specify "-r moe%doe.org@localhost" on the
command line, thereby eliminating the user interaction, the need
to figure out what to answer, and the risk of answering incorrectly?

2. gpg prompts you with

  File `moe%doe.org.asc@localhost' exists. Overwrite? (y/N)

This is because gpg will actually write the encrypted message to the
file "moe%doe.org.asc@localhost" and not to standard output; the redirection
"> moe%doe.org.asc@localhost" in the example is unnecessary and only has the 
effect
of creating an empty file which triggers the "Overwrite?"  question
and which will then be overwritten if you answer "y" to the above
question.  Did some earlier version of gpg perhaps require the
redirection?

To fix both issues, I think the last line of the example ought to say

  % gpg --armor --encrypt -r moe%doe.org@localhost moe%doe.org@localhost

but I'm not comfortable committing the change without review since
this is a security critical procedure and I actually know next to
nothing about PGP.

>How-To-Repeat:

Try to sign a developer's key following the instructions.  Get confused.

>Fix:



Home | Main Index | Thread Index | Old Index