Validating signature trust with gpg

cryptographydigital-signaturesgpgpgp

We would like to use gpg signatures to verify some aspects of our
system configuration management tools. Additionally, we would like to
use a "trust" model where individual sysadmin keys are signed with a
master signing key, and then our systems trust that master key (and
use the "web of trust" to validate signatures by our sysadmins).

This gives us a lot of flexibility, such as the ability to easily
revoke the trust on a key when someone leaves, but we've run into a
problem. While the gpg command will tell you if a key is
untrusted, it doesn't appear to return an exit code indicating this
fact. For example:

# gpg -v < foo.asc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header: 
gpg: original file name=''
this is a test
gpg: Signature made Fri 22 Jul 2011 11:34:02 AM EDT using RSA key ID ABCD00B0
gpg: using PGP trust model
gpg: Good signature from "Testing Key <someone@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ABCD 1234 0527 9D0C 3C4A  CAFE BABE DEAD BEEF 00B0
gpg: binary signature, digest algorithm SHA1

The part we care about is this:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

The exit code returned by gpg in this case is 0, despite the trust
failure:

# echo $?
0

How do we get gpg to fail in the event that something is signed with
an untrusted signature?

I've seen some suggestions that the gpgv command will return a proper exit code, but unfortunately gpgv doesn't know how to fetch keys from keyservers. I guess we can parse the status output (using –status-fd) from gpg, but is there a better way?

Best Answer

This is what ended up with:

#!/bin/sh

tmpfile=$(mktemp gpgverifyXXXXXX)
trap "rm -f $tmpfile" EXIT

gpg --status-fd 3 --verify "$@" 3> $tmpfile || exit 1
egrep -q '^\[GNUPG:] TRUST_(ULTIMATE|FULLY)' $tmpfile

This looks for the trust information that gpg outputs on --status-fd. The script exits with an error in the presence of an untrusted signature (or invalid/no signature):

$ sh checksig sample.sh.bad 
gpg: Signature made Mon 24 Jun 2013 11:42:58 AM EDT using RSA key ID DCD5C569
gpg: Good signature from "Test User <testuser@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6FCD 3CF0 8BBC AD50 662E  5070 E33E D53C DCD5 C569
$ echo $?
1

The script exits with no error in the presence of a valid, trusted signature:

$ sh checksig sample.sh.good
gpg: Signature made Mon 24 Jun 2013 11:38:49 AM EDT using RSA key ID 5C2864A8
gpg: Good signature from "Lars Kellogg-Stedman <...>"
$ echo $?
0

Related Solutions

Validating GPG key signature authenticity

The usual means of verification is to contact the key owner and ask him/her to provide you (over the phone, or in person) with their key fingerprint. If you have strong reason to believe you are actually speaking to the person identified by the key, AND if the fingerprint the person provides matches the fingerprint of the key you have, THEN you can be quite certain you have the owner's real public key (and NOT a counterfeit key, created by an imposter for the purpose of impersonating that person).

Once you have verified the authenticity of the key to your satisfaction, you should sign that public key with your own private key. Once you've signed the key, you will no longer get those WARNINGs, because by signing it, you have indicated that you believe the key to be authentic.

How to verify an imported GPG key

When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?

A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.

You can edit the trust level of keys by running "gpg --edit-key ", and then using the trust command. This section of the GPG manual discusses key trust, and it's worth a read: good security is hard.

Note that the warning "This key is not certified with a trusted signature" basically means, "this thing could have been signed by anybody". I can create a key that claims to be for "Internet Systems Consortium, Inc. (Signing key, 2013) ", and sign things with it, and GPG will happily confirm that yes, the things I signed were signed with my key. To avoid this problem, you would presumably download the ISC GPG key from the website and either trust it ultimately ("I believe this entity can certify itself") or sign it with your ultimately-trusted private key. Without proper management of key trust, signature verification is mostly theater.

Find out when it expires?

Running gpg -k <keyid> will show you when a given key expires. For example, I created a key that expires tomorrow, and gpg -k <keyid> gives me:

$ gpg -k 0xD4C2B757C3FAE256
pub   2048R/0xD4C2B757C3FAE256 2014-01-26 [expires: 2014-01-27]
uid                 [ultimate] Test User <testuser@example.com>
sub   2048R/0xE87A56CDCC670D7A 2014-01-26 [expires: 2014-01-27]

You can see that the expiration dates on subkeys are clearly marked. Note that subkeys used for signing and encryption may have different expiration dates from the primary key. You can read more about subkeys here.

In fact does GPG tells me when the key I've imported has already expired when I do a "gpg --verify"?

Yes, GPG will notify you about an expired key. Note that this does not necessarily represent a problem: the signature was valid when the document was signed.

Update the key. Do I have to delete the key and re-import when this happens?

You should have you GPG environment configured to use a keyserver, and periodically run gpg --refresh-keys. This will update any keys in your keyring with new information from the keyserver, which may include:

new expiration dates
additional signatures on the key

If a person or organization begins using a new key, you would just add it to your keychain -- you would not need to delete the existing key.

Best Answer

Related Solutions

Validating GPG key signature authenticity

How to verify an imported GPG key

Related Topic