Project

Profile

Help

Story #6291

closed

SigningService should issue a warning if the signing script has changed on disk

Added by quba42 over 4 years ago. Updated about 4 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Currently, signing services like AsciiArmoredDetachedSigningService which inherit from SigningService must verify that the signing script provided by the user produces valid signatures as expected by the signing service before the signing service can be saved.

However, there is no guarantee that the signing script is not changed (for one that is potentially broken) after the signing service has been saved.

The proposal is to store the hash of the signing service when saving the service and checking the actual hash of the script against this stored value whenever the sign() function is called.

After some discussion on irc we concluded that an incorrect hash should merely produce a warning, since there may be legitimate reasons for the script to change and since this check is insufficient to guard against a malicious actor (only against accidental breakage).

One possibility would be to rerun the verification if a hash value mismatch is found.

Also available in: Atom PDF