From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 23915@debbugs.gnu.org
Subject: bug#23915: 24.5; editing *.gpg file through emacs presents an unclean (and unsafe) round trip
Date: Thu, 07 Jul 2016 19:56:24 -0400 [thread overview]
Message-ID: <87mvlthujb.fsf@alice.fifthhorseman.net> (raw)
If i edit a file whose name matches the glob *.gpg in emacs, gpg
decrypts it (i'm prompted by the gpg-agent for my passphrase) and i am
presented with the cleartext version of the file to edit.
when i save, it re-encrypts the file.
This is a sensible workflow in general, but there are several strange
properties that make it not a clean round-trip:
a) the original file may or may not have been ascii-armored. The saved
file is always raw (not ascii-armored).
b) the original file may have had an OpenPGP signature inside the
encryption. the saved file never has a signature.
c) the original file may have been encrypted to multiple recipients (in
OpenPGP terms, there are multiple PKESKs, one for each recipient).
The saved file will be encrypted to every recipient whose public key
(as identified by the key ID in the PKESKs) are present in the
editor's keyring. (if the file also was passphrase-encrypted, the
SKESK is dropped)
I think the right approach to resolve these would be:
A) remember whether the file was ASCII-armored initially or not, and
use that value when saving.
B) If an OpenPGP signature was present in the document when opening,
warn (with e.g. *Messages* ? prompting for confirmation?) when
trying to save that the resulting file will destroy the signature.
C) if more than a single PKESK or SKESK is present when opening, warn
(again, with *Messages* ? prompting for confirmation?) when trying
to save that all other PKESKs or SKESKs will be dropped for the
re-saved file.
The resolution (C) is unsatisfying, but there is no safe/complete answer
given the OpenPGP data structure:
On the one hand, we can't guarantee replication of the full set of
recipients PKESKs, because the editor may not have the associated public
keys in her keyring.
On the other hand, the PKESKs are not cryptographically-authenticated at
all. So if we re-encrypt to all, an attack presents itself:
* Mallory knows that Alice and Bob are planning something;
* Mallory knows the secret key according to some encryption-capable
public key X in Alice's public keyring;
* Mallory intercepts an encrypted document D sent from Bob to Alice.
* Mallory prepends D with a phony PKESK with the key ID of X, creating
new document D'
* Mallory replaces D with D' in Bob's message to Alice.
* Alice edits the document, creating new document E, and sends E back
to Bob.
* Mallory intercepts E, decrypts it with X, strips the extra
PKESK creating E', and forwards E' on to Bob.
Hope this makes sense! Happy to clarify if you have any questions.
--dkg
In GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
of 2016-04-08 on binet, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11803000
System Description: Debian GNU/Linux testing/unstable
Configured using:
`configure --build x86_64-linux-gnu --prefix=/usr
--sharedstatedir=/var/lib --libexecdir=/usr/lib
--localstatedir=/var/lib --infodir=/usr/share/info
--mandir=/usr/share/man --with-pop=yes
--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.5/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.5/site-lisp:/usr/share/emacs/site-lisp
--build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib
--libexecdir=/usr/lib --localstatedir=/var/lib
--infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes
--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.5/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.5/site-lisp:/usr/share/emacs/site-lisp
--with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars
'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2' LDFLAGS=-Wl,-z,relro'
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
diff-auto-refine-mode: t
savehist-mode: t
display-time-mode: t
tooltip-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Loading /etc/emacs/site-start.d/51debian-el.el (source)...done
No desktop file.
For information about GNU Emacs and the GNU system, type C-h C-a.
Decrypting /home/dkg/tmp/foo.gpg...done
End of buffer
Saving file /home/dkg/tmp/foo.gpg...
Buffer foo.gpg does not end in newline. Add one? (y or n) y
Untrusted key XXXXXXXXXXXXXXXX REDACTED_NAME <REDACTED_EMAIL_ADDRESS>. Use anyway? (y or n) y
Encrypting /home/dkg/tmp/foo.gpg... [2 times]
Wrote /home/dkg/tmp/foo.gpg [2 times]
Load-path shadows:
/usr/share/emacs24/site-lisp/cmake-data/cmake-mode hides /usr/share/emacs/site-lisp/cmake-mode
/usr/share/emacs/24.5/site-lisp/debian-startup hides /usr/share/emacs/site-lisp/debian-startup
/usr/share/emacs/site-lisp/rst hides /usr/share/emacs/24.5/lisp/textmodes/rst
Features:
(shadow sort gnus-util mail-extr emacsbug epa-file epa derived epg
package epg-config notmuch hl-line notmuch-maildir-fcc notmuch-hello
wid-edit notmuch-tree notmuch-show notmuch-message notmuch-print
notmuch-crypto notmuch-mua notmuch-address notmuch-company
notmuch-parser notmuch-wash diff-mode coolj notmuch-query goto-addr
thingatpt icalendar diary-lib diary-loaddefs cal-menu calendar
cal-loaddefs notmuch-tag crm notmuch-lib advice notmuch-version cl gv
message sendmail format-spec rfc822 mailabbrev mail-utils gmm-utils
mailheader mm-view mml-smime smime password-cache dig mailcap mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
rfc2047 rfc2045 ietf-drums mm-util help-fns mail-prsvr savehist time
desktop frameset cl-loaddefs cl-lib debian-el debian-el-loaddefs
haskell-mode-autoloads emacs-goodies-el emacs-goodies-custom
emacs-goodies-loaddefs easy-mmode dpkg-dev-el dpkg-dev-el-loaddefs
bbdb-autoloads time-date tooltip electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt
fringe tabulated-list newcomment lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind
gfilenotify dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty emacs)
Memory information:
((conses 16 113554 6541)
(symbols 48 22919 0)
(miscs 40 43 86)
(strings 32 25862 4332)
(string-bytes 1 791709)
(vectors 16 14367)
(vector-slots 8 431934 2841)
(floats 8 79 326)
(intervals 56 269 9)
(buffers 960 12)
(heap 1024 37164 997))
reply other threads:[~2016-07-07 23:56 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mvlthujb.fsf@alice.fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=23915@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.