[Cryptography] Don't grep for PGP Fingerprints

Alfie John alfie at alfie.wtf
Thu Jan 10 21:46:59 EST 2019


Hi all,

I've always used grep when checking for PGP Fingerprints. After a thread on
Twitter [1], I learned that this is totally insecure:

	"The potential vuln is that if you just grep for the expected fingerprint, an
	attacker could insert that sequence as their real name or email address. You
	need to parse that output very explicitly. Wish gpg would print *only* the
  fp."

So I decided to create a tool to do this safely:

  https://gitlab.com/alfiedotwtf/fingerprint

Comments welcome.

Alfie

1. https://twitter.com/alfiedotwtf/status/1078891847953444864

--
Alfie John
https://www.alfie.wtf


More information about the cryptography mailing list