extract: gpg wrapped tar.gz extracter

extract is a small shell script wrapper around tar and gpg --verify which eases the use of gpg to verify downloaded executables. i wrote it after the openssh backdoor fiasco and a subsequent conversation with j-* about how to get around this.

extract is not perfect, its for a limited subset of archives. however, its got some utility for people who want to seamlessly verify their archives and the signatures.

extract is a small test tool. i want to get people thinking about how to make this process, trusted archives, more transparent.

extract smooths this procedure by:

from the usage:

usage: extract (archive)
       archive and archive.sig must be in the same directory.
very simple.

example:

$ extract openssh-3.4p1.tar.gz-suspect                                         
*** WARNING ****
signature FAILED for openssh-3.4p1.tar.gz-suspect

$ extract openssh-3.4p1.tar.gz         
we have a good signature! let's go!
openssh-3.4p1
openssh-3.4p1/contrib
openssh-3.4p1/contrib/ssh-copy-id
openssh-3.4p1/contrib/README
snip
the first example is the trojanned openssh archive. the second is the known good one (snarfed from a UK mirror). you see it pulled a good signature and then started the extract process (via tar -zxvf).

TODO

in no particular order and with no particular ETA:

download

download version 0.1 here (1 aug 02): extract - shell script archive.

license

like most of my code, BSD licence. see the source.

weaknesses

it doesn't check the trust state of the key. major weakness. in the case of the openssh trojan all the attacker had to do was upload a new .sig with the nearly right key (save for the ID). this tool, extract, and many people would have been none the wiser.

related

you should also see gzsig from dugsong: gzsig-0.1.tar.gz.

i am seeking more related tools.

Thu Aug 1 23:47:38 EDT 2002