ni4
commented
3 years ago We do not have such option yet, sorry. But how often it happens/or it is needed?
Open thomas-roos opened 3 years ago
ni4
commented
3 years ago We do not have such option yet, sorry. But how often it happens/or it is needed?
thomas-roos
commented
3 years ago We want to replace gpg by rnp. We use it to check signature and encrypt update files for embedded devices. On those devices a correct RTC is not enforced. So our updates will fail. This is a mandatory option for us.
ronaldtse
commented
3 years ago @ThomasRausU thanks for the suggestion, we should be able to make that work in the near-term roadmap. Thoughts @ni4 @dewyatt ?
ni4
commented
3 years ago @ThomasRausU Thanks for the details, we should definitely support such usecase in our FFI and CLI. So, as I understand, with this option enabled rnp should ignore all the signature/key creation timestamps, and current timestamp inconsistency?
Or, as key and its sigs are generated on the 'normal' device with correct RTC, we should ignore only the current timestamp when checking signatures?
thomas-roos
commented
3 years ago thx - the device creating the sigs and encrypting a file the RTC is correct. But on the embedded device which is decrypting and checking the RTC is might not correct. So then there should be an option to ignore such failures.
nwalfield
commented
3 years ago A better strategy would probably be to use the signature creation time as the reference time. Then when you examine the certificate, you can still do the usual sanity checks and use the correct self signature (which it sounds like you might not be doing).
The app probably should probably also save the signature creation time in a DB and reject updates with an earlier signature creation time to avoid downgrade attacks.
thomas-roos
commented
3 years ago I dont understand correctly I think - what I wanna do is replace: gpg --homedir /etc/gnupg/ --no-tty --pinentry-mode loopback --passphrase $SECRET --batch --yes --lock-never --no-auto-check-trustdb --ignore-time-conflict --ignore-valid-from --decrypt /tmp/updatefile.idu | tar xz -C $TMPDIR by rnp --homedir=/etc/gnupg/ --password=$SECRET --decrypt /tmp/updatefile.idu | tar xz -C $TMPDIR
this is working correctly if the device RTC time is correct. If it's years ago it's not working. And might you wanna say this - I'm also like to check without --decrypt ing it if the updatefile is valid sigend + encrypted. Without decrpyting it ;)
--ignore-time-conflict known from gpg - which "GnuPG normally checks that the timestamps associated with keys and signatures have plausible values. However, sometimes a signature seems to be older than the key due to clock problems. This option makes these checks just a warning." -> is there some option in rnp available?