Sam Trenholme's webpage
This article was posted to the Usenet group alt.hackers in 1995; any technical information is probably outdated.

Auto pgp-sign news hack


Article: 7534 of alt.hackers
From: set@oryx.llnl.gov (Sam Trenholme)
Newsgroups: alt.hackers,comp.sources.misc
Subject: Auto pgp-sign news hack
Date: 23 Mar 1995 10:48:25 GMT
Organization: LLNL Laser Modeling & Optimization
Lines: 103
Approved: This is too easily forged!
Message-ID: 3krjlp$a6g@lll-winken.llnl.gov
NNTP-Posting-Host: oryx.llnl.gov
Cc:
Status: RO

-----BEGIN PGP SIGNED MESSAGE-----

>I figured out how to use IHAVE to post an article
>so that I can make the header say whatever the hell I want
>it to.

Now that these forgery tricks are becoming well-known, and people
abusing these tricks (to wit: the recent make.money.fast forge here) it is
time to bring in some hacks to make one's news a little harder to forge.

ObYouAintForgingMyNewsHack:

These programs will automaticlly, quickly, and easily PGP-sign all of
your outgoing news:

First, place the following two-line shell script in your directory, naming
it pgp_edit:

#!/bin/sh
pico $1; add_pgp_sig < $1 > /tmp/tmp.`whoami` ; mv /tmp/tmp.`whoami` $1

Replacing "pico" with your favorite editor (The reason why I use
pico is
because jove handles my terminal emulator poorly), of course.

Next, take the following 5-line awk script, and name it add_pgp_sig:

#!/usr/local/bin/gawk -f
BEGIN {if(ENVIRON["PGPPASS"]=="") a=2} $0=="--"
{a=2;close("pgp -fast")}
($0=="" && !a) || (NR==1 && $1 !~ /:$/)
{if($0==""){print;getline};a=1;
if($0=="-----BEGIN PGP SIGNED MESSAGE-----")a=2} a!=1 {print}
a==1 {print | "pgp -fast"} END {if(a==1)close("pgp -fast")}

Depending on your system you might have to reaplce the first line with
"#!/bin/awk -f" (bsd-based unices) or "#!/usr/bin/awk -f"
(sysv-based
unices).

Now, edit your ".login", making sure that pgp_edit and add_pgp_sig
are in
a directory contained in your path variable. Also add the following lines
to your .login:

setenv EDITOR pgp_edit
setenv VISUAL pgp_edit
setenv PGPPASS <your_pgp_passphrase>

Please note that if you are concerned about your pgp passphrase being
visible in your environment, just have PGPPASS be foobar, and pgp will
ask you to type in your real passphrase. If your pgp passphrase is in
your .login, please be sure to protect it from prying eyes:

$ chmod 600 ~/.login

The above assumes that you are using a csh/tcsh login shell. In a bourne
variety shell, I *believe* it's "env EDITOR=pgp_edit", and so
on. Not sure,
though.

This little script is also usable as a "front end" for your
mailing program.
Just set up your mailer's configuration to make pgp_edit your editor.

Now that you have done this, your news will automaticlly be pgp-signed
after you are done editing it. Please note that if you reedit it,
remove any the pgp-sig from the letter while reediting it, or it won't
sign the article.

This program won't sign files already PGP-signed. This makes life
easier if you accidently re-enter the editor and don't want to edit the
program. It also won't sign articles unless the PGPPASS environmental
varible is set. The thinking behind this is this: If a system admin makes
this stuff the default editor, only the users that use PGP will have their
mail/news automaticlly signed.

This program assumes you wish to sign you mail/news with your most
recently generated pgp key. This is a fairly safe assumption, and one of
the ways I was able to keep this entire project within 5 lines of code.

I should write a quickie remove pgp sigs before the file is edited.
Something like:

#!/usr/local/bin/gawk -f
$0 ~ /----BEGIN PGP SIGNATURE----/ {a=1}
$0 ~ /----END PGP SIGNATURE----/ {a=0}
$0 !~ /----BEGIN PGP SIGNED MESSAGE----/ && !a {print}

And add a refernece to this second awk script in my shell script.

To do: 1) Add a script to make the pgp signature less visible, and
in the headers. 2) Rewrite the entire thing in Perl, a much better
language than Awk.

Please post/email flames, comments, and suggestions for improvement. The
address in the headers is my real address.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAwUBL3FSLwUv8wmFUeQBAQGp9gIAhAYVH9rUcmJj4sLtE9NhLkx55dzFJoit
b8GVXIciBVwABh1s3CTqARiqKpmmKJDJw0J0uT1t0ewFRcY97oRO6g==
=Fcjr
-----END PGP SIGNATURE-----
--
Please note that the PGP key used to sign this message is NOT the
PGP key with PGP print F49C2183787CBC49717524 etc. That is my other,
higher-security PGP key. To get my PGP keys: finger set@ocf.berkeley.edu
More info about PGP: alt.security.pgp ; http://www.ocf.berkeley.edu/~set



Parent

Child Child Child Child

Back to index