romanz
suggestion: gpg signing should confirm with hash of message
I imagine it working something like:
(in the terminal)
$ echo "Happy New Year\!" | gpg2 --clear-sign
gpg: using "hotoatmeal" as default secret key for signing
sha1: c5584719f8f1a85da0ff
aa7eb333a72a3968c47e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Happy New Year\!
(on the device)
GPG sign for:
hotoatmeal
c5584719f8f1a85da0ff
aa7eb333a72a3968c47e
----------------------------
Do you want to sign this?
✘ Cancel Confirm ✔
Where:
echo "Happy New Year\!" | shasum -a 1
c5584719f8f1a85da0ffaa7eb333a72a3968c47e -
This will probably need a corresponding firmware update.
I'm aware that sha1 is known to be insecure, but the Trezor's screen is so little that a sha256 digest is probably too many characters for it.
Thanks for the suggestion!
Unfortunately, it seems that my GnuPG version (2.1.11) doesn't log the to-be-signed hash:
$ echo 123 | gpg2 --clearsign
gpg: using "Roman Zeyde <[email protected]>" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
123
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EARMKAAYFAlpGC0UACgkQh8rl+kaRfLupuQD/VwmTzxh0ovVYJ/g/1TvTRMFE
m/Ioin0+Imb06h2us08A/3D7VNexkoDJ9h5m9Ktl6MPBbhqZDK18WGnU9hnQj4qW
=GgFp
-----END PGP SIGNATURE-----
$ GPG gpg2 --version
gpg (GnuPG) 2.1.11
Is there a flag I am missing?
P.S. This (not showing the hash) also happens in GnuPG 2.2.4.
Is there a flag I am missing?
No, this is just how I /imagine/ it working. Mine doesn't print that hash either.... yet:
$ echo 123 | gpg2 --clearsign
gpg: using "hotoatmeal" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
123
-----BEGIN PGP SIGNATURE-----
iHUEARMKAB0WIQS5my1/tHHazXPP2HpQhrDwHMbBUQUCWkZt1gAKCRBQhrDwHMbB
UThkAQDoDwxw8gN1tyeAQBwAQ2p2Ad7kCmme7jYkzb1H4OuhkQD/XfJFlrLDbuDu
DmHV7+h6u9NVl48NSDONNwIlronn7yo=
=FcHX
-----END PGP SIGNATURE-----
$ gpg2 --version | head -n1
gpg (GnuPG) 2.2.3
Is there a good place where we can "smuggle" it out to stdout as part of asking the device to do the signing, or is that something only the agent daemon is allowed to do?
The only way I am familiar with is using --debug-all GnuPG flag:
$ echo 123 | gpg2 --clearsign -u Foobar --debug-all
<snip>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
123
<snip>
gpg: DBG: chan_4 -> RESET
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SIGKEY 16C32D492595853CCD03903D33826E816EB80523
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Foobar%22%0A521-bit+ECDSA+key,+ID+66DCE04B,%0Acreated+2017-11-25.%0A
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> SETHASH 10 F985DA8E27A340A939287015E6334889E971FC8FDB5FC488CA2F978D5385F56AA6F2DDA04958FA2B896A975C5C1206E1048B1FC8F876804229930D08A0B330AE
gpg: DBG: chan_4 <- OK
gpg: DBG: chan_4 -> PKSIGN
gpg: DBG: chan_4 <- [ 44 20 28 37 3a 73 69 67 2d 76 61 6c 28 35 3a 65 ...(158 byte(s) skipped) ]
gpg: DBG: chan_4 <- OK
<snip>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iKIEARMKAAYFAlpPdHAACgkQTbciL2bc4Ev5hQIJAY/Hnu3IFmnIDS17kwbe1kSz
vbQCNVplbR0S3pVtbYcckSfGpGc57xr6Y+sUhb4b1su0mY5lRFaO0Byqo3rupoI0
AgkBprd5WOeQDVFPyg8UdTLkFS3EAZ/VwnMq/v97MNmdV4IymtMuCAZVh0Rr9NGy
yQyXg0RWdfB/nH5yxoiPH6uXRNw=
=snua
-----END PGP SIGNATURE-----
<snip>
The message digest can be found from the gpg-agent protocol debug messages (see SETHASH above).
The issue here is that GnuPG provides the hardware device with a specific hash to sign - which may be too long to display on the device's screen. We can re-visit this issue on TREZOR 2 (which has a larger screen).
Isn't a prefix of the hash better than no hash at all? Then you can even use sha256. I personally don't compare all digits of a hash anyway. I assume crafting a message with a hash that matches the first and last few digits of the hash of the original message is hard enough, even if it's easier than matching all digits of the hash.
