extract: gpg wrapped tar.gz extracter

extract is a small shell script wrapper around tar and gpg --verify which eases the use of gpg to verify downloaded executables. i wrote it after the openssh backdoor fiasco and a subsequent conversation with j-* about how to get around this.

extract is not perfect, its for a limited subset of archives. however, its got some utility for people who want to seamlessly verify their archives and the signatures.

extract is a small test tool. i want to get people thinking about how to make this process, trusted archives, more transparent.

extract smooths this procedure by:

initializing your GPG installation for yourself if needed
running gpg --verify on the archive to check the signature
if the signature checks out (you have the key and they match) then you get the file extracted (tar -zxvf)
if the signature has no matching key, the key is fetched and extract rerun.
if the signature fails to match the known key, it throws an error and exits

from the usage:

usage: extract (archive)
       archive and archive.sig must be in the same directory.

very simple.

example:

$ extract openssh-3.4p1.tar.gz-suspect                                         
*** WARNING ****
signature FAILED for openssh-3.4p1.tar.gz-suspect

$ extract openssh-3.4p1.tar.gz         
we have a good signature! let's go!
openssh-3.4p1
openssh-3.4p1/contrib
openssh-3.4p1/contrib/ssh-copy-id
openssh-3.4p1/contrib/README
snip

the first example is the trojanned openssh archive. the second is the known good one (snarfed from a UK mirror). you see it pulled a good signature and then started the extract process (via tar -zxvf).

TODO

in no particular order and with no particular ETA:

more key servers (only pgp.mit.edu is used right now)
look for more installation locations of gpg (currently only searches /usr/local/bin)
handle more archive types than tar.gz s
check signatures on the keys to ensure trust ... use the PGP web of trust, after all

download

download version 0.1 here (1 aug 02): extract - shell script archive.

license

like most of my code, BSD licence. see the source.

weaknesses

it doesn't check the trust state of the key. major weakness. in the case of the openssh trojan all the attacker had to do was upload a new .sig with the nearly right key (save for the ID). this tool, extract, and many people would have been none the wiser.

you should also see gzsig from dugsong: gzsig-0.1.tar.gz.

i am seeking more related tools.

Thu Aug 1 23:47:38 EDT 2002