use OpenPGP notations to sign the names of files to prevent file name tampering
Since 'GPG signatures do not authenticate filenames' (legacy/trac#2340 (moved)), consider using OpenPGP notations to embed the name of the file within the gpg signature.
Try this:
echo "test" > x
gpg --armor --set-notation file@name="x" --detach-sign x
gpg --verify-options show-notations --verify x.asc
Example output:
~ $ echo "test" > x
~ $ gpg --armor --set-notation file@name="x" --detach-sign x
You need a passphrase to unlock the secret key for
user: "Patrick Schleizer <adrelanos@riseup.net>"
4096-bit RSA key, ID 77BB3C48, created 2014-01-16 (main key ID 2EEACCDA)
~ $ gpg --verify-options show-notations --verify x.asc
gpg: Signature made Mon 12 Jan 2015 11:13:19 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=x
~ $
You could then consider telling users in verification documentation to add --verify-options show-notations
to their gpg --verify
command to verify file names.
Not a perfect solution, but a lightweight one. Could be the first step to something better. Can be easily done and automated by a signature creation shell script, that you might already have?
(Asked about this on the gnupg-users mailing list by the way.)