Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace GnuPG with Sequoia #1618

Open
DemiMarie opened this issue Mar 14, 2024 · 2 comments
Open

Replace GnuPG with Sequoia #1618

DemiMarie opened this issue Mar 14, 2024 · 2 comments

Comments

@DemiMarie
Copy link

Is your feature request related to a problem? Please describe.
GnuPG is a large amount of legacy C code that operates on untrusted input.

Describe the solution you'd like
Use Sequoia instead. Only signature verification is needed.

Describe alternatives you've considered
Use a different tool for verifying signatures, such as signify or ssh-keygen.

Additional context
GnuPG has known bugs and will decompress data in the signature, creating extra attack surface.
@tlaurion
Copy link
Collaborator

tlaurion commented Mar 27, 2024
edited

@DemiMarie

Describe alternatives you've considered
Use a different tool for verifying signatures, such as signify or ssh-keygen.

Neither support smartcard, don't they?

Additional context
GnuPG has known bugs and will decompress data in the signature, creating extra attack surface.

heads/modules/gpg2

Lines 29 to 49 in 05289c0

--enable-scdaemon \
--enable-ccid-driver \
--disable-tofu \
--disable-rpath \
--disable-regex \
--disable-doc \
--disable-bzip2 \
--disable-exec \
--disable-photo-viewers \
--disable-ldap \
--disable-regex \
--disable-nls \
--disable-all-tests \
--disable-wks-tools \
--disable-gnutls \
--disable-dirmngr \
--disable-ntbtls \
--disable-libdns \
--disable-zip \
--disable-sqlite \
--disable-gpgsm \

Not aware of any decompression being possible in currently configured/compiled gpg2.
Did I missed something you found/tested?

Is your feature request related to a problem? Please describe.
GnuPG is a large amount of legacy C code that operates on untrusted input.

Where/How is it used under GUI ops under Heads?
Heads uses gpgv (wrapper for verify only ops) on daily ops, and uses gpg detach-sign calls otherwise upon request from user, which is followed by a boot and then a clean state again. Did I miss something?

Discussion

  • Is sequoia smartcard support production ready now?
  • Is the firmware footprint advantageably lower then gpg toolstack today? Can most of the features be deactivated as they are for gnugpg toolstack? What is the size comparison of the toolstacks today?

@tlaurion
Copy link
Collaborator

Is sequoia smartcard support production ready now?

It is though smartcard cradle.
That would be a Big refactoring. If footprint is not out of scope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlaurion @DemiMarie