3

I wrote a simple cross-platform utility to verify GPG signatures using the gpgme. However gpgme doesn't work very well on windows and on other platforms (e.g. osx) it requires GnuPG command line utilities installed which is a pretty heavy dependency. I looked into other openpgp libraries as well such as netgpg but these are even less portable (it really has to build with mingw-w64).

Would it be possible to implement a standalone tool to verify GPG signature using only standard libraries like openssl and zlib? From what I understand openpgp consists of standard ciphers and hash functions. What is the part that makes this so difficult that there are no good C libraries out there to do this?

Jeroen Ooms
  • 31,998
  • 35
  • 134
  • 207

1 Answers1

5

OpenSSL does not implement the OpenPGP format and is not compatible. Use an OpenPGP implementation like GnuPG, Bouncycastle (framework available for Java/C#) or others (OpenPGP.js for JavaScript, and there's a Go library).

While OpenPGP uses standard cryptographic digest and encryption algorithms, it has a different message format and especially uses its own CFB mode variant. You'd have to implement both a parser for the OpenPGP message format and get compatible with the OpenPGP CFB mode (if you want to support encryption), and finally pass the results to OpenSSL for the actual cryptography.

Finally, supporting the whole web of trust concept including the full OpenPGP specification is a broad task and has a variety of issues to consider ([1], [2], ...). In the unix world, people seem to be happy enough with GnuPG and GPGME, which are deeply tested and analyzed for even very advanced security issues (for example, this side channel attack). New implementations are most likely vulnerable to similar problems already solved for GnuPG.

Community
  • 1
  • 1
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • Thanks this is helpful. I was hoping the problem would be less complicated because I don't need encryption, only signature verification. – Jeroen Ooms Jul 16 '15 at 15:26
  • This probably indeed reduces the effort by magnitude, but still you'd have to implement the message format. It might be possible `gpgv` already does what you're looking for. – Jens Erat Jul 16 '15 at 15:31
  • Basic parsing shouldn't be to difficult with some regex magic... gpgverify is only available as executable right? I need bindings... or is there a libgpgv that I don't know about? – Jeroen Ooms Jul 16 '15 at 17:08
  • As OpenPGP is a binary protocol (the ASCII-armoring is just encoding), I wouldn't use regular expressions. You might also look at `pgpdump`, which is an OpenPGP parser (and "pretty printer") that I think is written in C. – Jens Erat Jul 16 '15 at 19:14