[Cryptography] Don't grep for PGP Fingerprints
Alfie John
alfie at alfie.wtf
Thu Jan 10 21:46:59 EST 2019
Hi all,
I've always used grep when checking for PGP Fingerprints. After a thread on
Twitter [1], I learned that this is totally insecure:
"The potential vuln is that if you just grep for the expected fingerprint, an
attacker could insert that sequence as their real name or email address. You
need to parse that output very explicitly. Wish gpg would print *only* the
fp."
So I decided to create a tool to do this safely:
https://gitlab.com/alfiedotwtf/fingerprint
Comments welcome.
Alfie
1. https://twitter.com/alfiedotwtf/status/1078891847953444864
--
Alfie John
https://www.alfie.wtf
More information about the cryptography
mailing list