Re: [PATCH v2 1/1] t6300: fix match with insecure memory

[Kousik Sanagavarapu <five231003@gmail.com>]

Christian Hesse <list@eworm.de> wrote:

> From: Christian Hesse <mail@eworm.de>
> 
> Running the tests in a build environment makes gnupg print a warning:
> 
> gpg: Warning: using insecure memory!
>
> This warning breaks the match, as `head` misses one line. Let's strip
> the line, make `head` return what is expected and fix the match.
>
> Signed-off-by: Christian Hesse <mail@eworm.de>

I think a bit of an explanation about why this warning is showing up in the
commit message would be good.

"man gpg" gives me

	On older systems this program should be installed as setuid(root).
	This is necessary to lock memory  pages.  Locking  memory
	pages prevents the operating system from writing memory pages (which
	may contain passphrases or other sensitive material) to disk. If you
	get no warning message about insecure memory your operating system
	supports locking  without  being  root.  The program drops root
	privileges as soon as locked memory is allocated.

	Note  also  that  some systems (especially laptops) have the ability to
	``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
	This writes all memory to disk before going into a low power or even
	powered off mode.  Unless measures are taken  in  the operating system
	to protect the saved memory, passphrases or other sensitive material
	may be recoverable from it later.

So it seems that this warning will pop up if gpg is writing memory pages to disk
which is bad because as stated above we don't want these pages written to disk
which is a security risk.

> ---
>  t/t6300-for-each-ref.sh | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/t/t6300-for-each-ref.sh b/t/t6300-for-each-ref.sh
> index 5b434ab451..0f9981798e 100755
> --- a/t/t6300-for-each-ref.sh
> +++ b/t/t6300-for-each-ref.sh
> @@ -1764,12 +1764,13 @@ test_expect_success GPGSSH 'setup for signature atom using ssh' '
>  
>  test_expect_success GPG2 'bare signature atom' '
>  	git verify-commit first-signed 2>out.raw &&
> -	grep -Ev "checking the trustdb|PGP trust model" out.raw >out &&
> +	grep -Ev "checking the trustdb|PGP trust model|using insecure memory" out.raw >out &&
>  	head -3 out >expect &&
>  	tail -1 out >>expect &&
>  	echo  >>expect &&
>  	git for-each-ref refs/tags/first-signed \
> -		--format="%(signature)" >actual &&
> +		--format="%(signature)" >out.raw &&
> +	grep -Ev "using insecure memory" out.raw >actual &&
>  	test_cmp expect actual
>  '
>  
> -- 
> 2.41.0

We skip "checking the trustdb" and "PGP trust model" lines (which are not
warnings) here because we don't really need those from the output that GPG
produces here but skipping a warning too seems kind of a question mark.

It also seems that one could use "--no-secmem-warning" to suppress such a
warning. So a better place to make a change would not be in t/t6300 but in
t/lib-gpg from where the prereq GPG2 comes from. Although I'm against this,
because we don't really want to suppress any warnings.

I think it is a good thing this test is breaking because it informs us about
the security risk. I have Cc'ed people who might have a thought on this. So
it's better to wait for their response.

Thanks