Keep signed files executable
Closed, ResolvedPublic

Description

Scripts signed with gnupg become binary garbage, and detached signatures are
just inconvenient.

Yet, Shell, Perl, Python and Puby files may remain executable if the detached
signature is embedded as a comment at the bottom of the file:
#-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1...

For a practical example:
signed file: http://ftp.waf.io/pub/release/waf-1.8.5
create signed scripts: http://waf.googlecode.com/git/utils/sign_file.py
verify signed scripts: http://waf.googlecode.com/git/utils/verify-sig.py

And the same thing could be said for executables, it would be much better if
signatures could be embedded so that the signatures are always attached to the
data they relate to.

This would actually be a building block for more functionality: on a system
where executables are signed it would be much more difficult to tamper with the
system files, the kernel/interpreters could verify all executables easily.

ita added a subscriber: ita.
werner added a subscriber: werner.Dec 15 2014, 6:13 PM

That is something you need to build into your language's interpreter or into the
OS proper (for the ELF, COFF, or the shebank hack). We can't do anything in gpg
with that. It is of course possible todo that. For example many years ago, I
wrote such a system for ELF with gpg used by a tool for signing and a dedicated
verification module for the OS.

If you like to discuss this, you may want to post to the gnupg-users ML.

ita added a comment.Dec 15 2014, 7:50 PM

The language designers will almost certainly return the ball by saying that it
is not their job to define signatures :-)

Elves and dwarves aside, could we have a bottom signature format that would keep
files readable for Shellscript, Perl, Python, plain text and maybe a few more by
using the last line in the file as in my example? This is the main request here.

werner closed this task as Resolved.Dec 16 2014, 3:40 PM
werner claimed this task.
werner added a project: Won't Fix.

OpenPGP does not specify this. It is actually not easy to add another format
becuase that opens the path for all kind of attacks. Like with ELF comment
section you can do the same for any other data format. No, there is no ELF
parser in gpg and there won't be one for any other language.

Please take this to the gnupg-users ML or to the OpenPGP WG. Thanks.