From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daniel Kahn Gillmor Newsgroups: gmane.emacs.bugs Subject: bug#23915: 24.5; editing *.gpg file through emacs presents an unclean (and unsafe) round trip Date: Thu, 07 Jul 2016 19:56:24 -0400 Message-ID: <87mvlthujb.fsf@alice.fifthhorseman.net> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1467972866 850 80.91.229.3 (8 Jul 2016 10:14:26 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 8 Jul 2016 10:14:26 +0000 (UTC) To: 23915@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Jul 08 12:14:14 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bLSnV-0000Ja-2R for geb-bug-gnu-emacs@m.gmane.org; Fri, 08 Jul 2016 12:14:13 +0200 Original-Received: from localhost ([::1]:44595 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSnU-0006Nu-CD for geb-bug-gnu-emacs@m.gmane.org; Fri, 08 Jul 2016 06:14:12 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56822) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSnO-0006Nk-7J for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:14:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bLSnK-0001xh-Tb for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:14:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:57664) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSnK-0001xc-Q1 for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:14:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bLSnK-0002JY-Ju for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:14:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Daniel Kahn Gillmor Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 08 Jul 2016 10:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 23915 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.14679728258844 (code B ref -1); Fri, 08 Jul 2016 10:14:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 8 Jul 2016 10:13:45 +0000 Original-Received: from localhost ([127.0.0.1]:41758 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bLSn3-0002IZ-DW for submit@debbugs.gnu.org; Fri, 08 Jul 2016 06:13:45 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:37567) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bLSn2-0002IO-1O for submit@debbugs.gnu.org; Fri, 08 Jul 2016 06:13:44 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bLSmv-0001rW-Fa for submit@debbugs.gnu.org; Fri, 08 Jul 2016 06:13:38 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:40863) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSmv-0001rR-C9 for submit@debbugs.gnu.org; Fri, 08 Jul 2016 06:13:37 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56771) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSms-0006NP-N6 for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:13:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bLSmp-0001qq-CO for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:13:34 -0400 Original-Received: from che.mayfirst.org ([162.247.75.118]:54662) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLSmp-0001qW-7z for bug-gnu-emacs@gnu.org; Fri, 08 Jul 2016 06:13:31 -0400 Original-Received: from fifthhorseman.net (unknown [88.128.80.54]) by che.mayfirst.org (Postfix) with ESMTPSA id A1420F997 for ; Fri, 8 Jul 2016 06:13:24 -0400 (EDT) Original-Received: by fifthhorseman.net (Postfix, from userid 1000) id 1F444200A1; Thu, 7 Jul 2016 19:56:25 -0400 (EDT) User-Agent: Notmuch/0.22+69~gd812194 (https://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:120618 Archived-At: If i edit a file whose name matches the glob *.gpg in emacs, gpg decrypts it (i'm prompted by the gpg-agent for my passphrase) and i am presented with the cleartext version of the file to edit. when i save, it re-encrypts the file. This is a sensible workflow in general, but there are several strange properties that make it not a clean round-trip: a) the original file may or may not have been ascii-armored. The saved file is always raw (not ascii-armored). b) the original file may have had an OpenPGP signature inside the encryption. the saved file never has a signature. c) the original file may have been encrypted to multiple recipients (in OpenPGP terms, there are multiple PKESKs, one for each recipient). The saved file will be encrypted to every recipient whose public key (as identified by the key ID in the PKESKs) are present in the editor's keyring. (if the file also was passphrase-encrypted, the SKESK is dropped) I think the right approach to resolve these would be: A) remember whether the file was ASCII-armored initially or not, and use that value when saving. B) If an OpenPGP signature was present in the document when opening, warn (with e.g. *Messages* ? prompting for confirmation?) when trying to save that the resulting file will destroy the signature. C) if more than a single PKESK or SKESK is present when opening, warn (again, with *Messages* ? prompting for confirmation?) when trying to save that all other PKESKs or SKESKs will be dropped for the re-saved file. The resolution (C) is unsatisfying, but there is no safe/complete answer given the OpenPGP data structure: On the one hand, we can't guarantee replication of the full set of recipients PKESKs, because the editor may not have the associated public keys in her keyring. On the other hand, the PKESKs are not cryptographically-authenticated at all. So if we re-encrypt to all, an attack presents itself: * Mallory knows that Alice and Bob are planning something; * Mallory knows the secret key according to some encryption-capable public key X in Alice's public keyring; * Mallory intercepts an encrypted document D sent from Bob to Alice. * Mallory prepends D with a phony PKESK with the key ID of X, creating new document D' * Mallory replaces D with D' in Bob's message to Alice. * Alice edits the document, creating new document E, and sends E back to Bob. * Mallory intercepts E, decrypts it with X, strips the extra PKESK creating E', and forwards E' on to Bob. Hope this makes sense! Happy to clarify if you have any questions. --dkg In GNU Emacs 24.5.1 (x86_64-pc-linux-gnu, GTK+ Version 3.18.9) of 2016-04-08 on binet, modified by Debian Windowing system distributor `The X.Org Foundation', version 11.0.11803000 System Description: Debian GNU/Linux testing/unstable Configured using: `configure --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib --libexecdir=/usr/lib --localstatedir=/var/lib --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.5/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.5/site-lisp:/usr/share/emacs/site-lisp --build x86_64-linux-gnu --prefix=/usr --sharedstatedir=/var/lib --libexecdir=/usr/lib --localstatedir=/var/lib --infodir=/usr/share/info --mandir=/usr/share/man --with-pop=yes --enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.5/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.5/site-lisp:/usr/share/emacs/site-lisp --with-x=yes --with-x-toolkit=gtk3 --with-toolkit-scroll-bars 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' LDFLAGS=-Wl,-z,relro' Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix Major mode: Fundamental Minor modes in effect: diff-auto-refine-mode: t savehist-mode: t display-time-mode: t tooltip-mode: t electric-indent-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent messages: Loading /etc/emacs/site-start.d/51debian-el.el (source)...done No desktop file. For information about GNU Emacs and the GNU system, type C-h C-a. Decrypting /home/dkg/tmp/foo.gpg...done End of buffer Saving file /home/dkg/tmp/foo.gpg... Buffer foo.gpg does not end in newline. Add one? (y or n) y Untrusted key XXXXXXXXXXXXXXXX REDACTED_NAME . Use anyway? (y or n) y Encrypting /home/dkg/tmp/foo.gpg... [2 times] Wrote /home/dkg/tmp/foo.gpg [2 times] Load-path shadows: /usr/share/emacs24/site-lisp/cmake-data/cmake-mode hides /usr/share/emacs/site-lisp/cmake-mode /usr/share/emacs/24.5/site-lisp/debian-startup hides /usr/share/emacs/site-lisp/debian-startup /usr/share/emacs/site-lisp/rst hides /usr/share/emacs/24.5/lisp/textmodes/rst Features: (shadow sort gnus-util mail-extr emacsbug epa-file epa derived epg package epg-config notmuch hl-line notmuch-maildir-fcc notmuch-hello wid-edit notmuch-tree notmuch-show notmuch-message notmuch-print notmuch-crypto notmuch-mua notmuch-address notmuch-company notmuch-parser notmuch-wash diff-mode coolj notmuch-query goto-addr thingatpt icalendar diary-lib diary-loaddefs cal-menu calendar cal-loaddefs notmuch-tag crm notmuch-lib advice notmuch-version cl gv message sendmail format-spec rfc822 mailabbrev mail-utils gmm-utils mailheader mm-view mml-smime smime password-cache dig mailcap mml easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mm-util help-fns mail-prsvr savehist time desktop frameset cl-loaddefs cl-lib debian-el debian-el-loaddefs haskell-mode-autoloads emacs-goodies-el emacs-goodies-custom emacs-goodies-loaddefs easy-mmode dpkg-dev-el dpkg-dev-el-loaddefs bbdb-autoloads time-date tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process dbusbind gfilenotify dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty emacs) Memory information: ((conses 16 113554 6541) (symbols 48 22919 0) (miscs 40 43 86) (strings 32 25862 4332) (string-bytes 1 791709) (vectors 16 14367) (vector-slots 8 431934 2841) (floats 8 79 326) (intervals 56 269 9) (buffers 960 12) (heap 1024 37164 997))