GPG Still sees good sign with revoked subkey still works - digital-signature

I have created a key, and created a subkey. With a subkey, I signed a file. Verification works. Revoked the key, verification does not hold. This is the expected behavior.
However, If I try to sign with the same subkey and verify it still works. What am I doing wrong? Here is what am I doing in full:
$ gpg --gen-key
$ gpg -k
/Users/mustafa/.gnupg/pubring.kbx
---------------------------------
pub rsa2048 2019-02-03 [SC] [expires: 2021-02-02]
5DD923FBCF6392A5CB366167D4C0627A07510C6C
uid [ultimate] Mustafa <mustafa91#gmail.com>
sub rsa2048 2019-02-03 [E] [expires: 2021-02-02]
Using edit key, add a subkey.
$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
gpg> addkey
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
ssb rsa2048/38616BDAE66E418C
created: 2019-02-03 expires: 2019-02-13 usage: S
[ultimate] (1). Mustafa <mustafa91#gmail.com>
gpg> q
Save changes? (y/N) y
Sign a file and verify it.
$ gpg --armor --detach-sign --default-key 38616BDAE66E418C test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:49:43 2019 +03
gpg: using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]
Revoke the key with message "This key is now in the hands of the enemy."
$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg> key 2
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
ssb* rsa2048/38616BDAE66E418C
created: 2019-02-03 expires: 2019-02-13 usage: S
gpg> revkey
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
The following key was revoked on 2019-02-03 by RSA key D4C0627A07510C6C Mustafa <mustafa91#gmail.com>
ssb rsa2048/38616BDAE66E418C
created: 2019-02-03 revoked: 2019-02-03 usage: S
[ultimate] (1). Mustafa <mustafa91#gmail.com>
Try to verify the old signature and see it fails.
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:49:43 2019 +03
gpg: using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]
gpg: WARNING: This subkey has been revoked by its owner!
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: This key is now in the hands of the enemy.
However, trying to sign with revoked key.
$ rm test.key.asc
$ gpg --armor --detach-sign --default-key 38616BDAE66E418C test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing
Why does it not fail? How can it be verified?
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:53:11 2019 +03
gpg: using RSA key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]

Look at your last two excerpts. Despite the fact that you specified the default signing key to be 38616BDAE66E418C, when you do the verify it reports having been signed with D4C0627A07510C6C.
If you utilize the -v verbose option of gpg, you will see that if the specified default key is revoked, it falls back to the next usable signing key.
To illustrate this, I recreated your scenario:
sec rsa2048/4E5CB15076F1318E
created: 2019-02-09 expires: 2021-02-08 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/3303CBB274AECA3B
created: 2019-02-09 expires: 2021-02-08 usage: E
The following key was revoked on 2019-02-09 by RSA key 4E5CB15076F1318E Herp Derp <herp#derp.com>
ssb rsa2048/8ABD3900E64E7972
created: 2019-02-09 revoked: 2019-02-09 usage: S
[ultimate] (1). Herp Derp <herp#derp.com>
Signing with subkey prior to revoking:
$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: using subkey 8ABD3900E64E7972 instead of primary key 4E5CB15076F1318E
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "8ABD3900E64E7972 Herp Derp <herp#derp.com>"
Signing with subkey after revoking:
$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "4E5CB15076F1318E Herp Derp <herp#derp.com>"
You can see that in the second example, gpg identifies the subkey as revoked and falls back to the primary key.

Related

Import PGP public key from Fingerprint

I have the fingerprint 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6 and I want to download the public key to verify the archive.
I'd like to download the key from terminal, and I try to use that command:
gpg --search-keys "71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6"
And I get this result
gpg: data source: https://keys.openpgp.org:443
(1) 2048 bit RSA key 74810B012346C9A6, created: 2011-08-24
Keys 1-1 of 1 for "71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6".
Enter number(s), N)ext, or Q)uit > n
Then I use recv-key
gpg --recv-key 74810B012346C9A6
Result:
gpg: key 74810B012346C9A6: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
I did some research and I tried again with:
gpg --keyserver keyserver.ubuntu.com --recv 74810B012346C9A6
result:
gpg: key 74810B012346C9A6: public key "Wladimir J. van der Laan <laanwj#visucore.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
With the command list-keys I can see that result:
gpg --list-keys
pub rsa2048 2011-08-24 [SC] [expires: 2022-02-10]
71A3B16735405025D447E8F274810B012346C9A6
uid [ unknown] Wladimir J. van der Laan <laanwj#visucore.com>
uid [ unknown] Wladimir J. van der Laan <laanwj#gmail.com>
uid [ unknown] Wladimir J. van der Laan <laanwj#protonmail.com>
sub rsa2048 2017-05-17 [S] [expires: 2022-02-10]
sub rsa2048 2017-05-17 [A] [expires: 2022-02-10]
sub rsa2048 2011-08-24 [E]
Now, I tried to do the verification
gpg --verify SHA256SUMS.asc
result:
gpg: Signature made Sun Nov 24 10:14:42 2019 CET
gpg: using RSA key 90C8019E36C2E964
gpg: Can't check signature: No public key
I tried to download the public key form https://bitcoin.org/en/full-node#mac-os-x-yosemite-1010x and https://keys.openpgp.org (with fingerprint) But I Get different values.
This question was asked over 1 year ago, but I'll answer anyway in case it helps someone:
First, at step:
Enter number(s), N)ext, or Q)uit > n
You should've typed 1 to import that key. That would've imported it right away, so you wouldn't have to use --recv-keys later.
But the real reason the verification failed is because the key you imported is different from the key used to sign the file. As you can read from the link you posted:
Earlier releases were signed by Wladimir J. van der Laan’s regular key. That key’s fingerprint is: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6.
So you imported an old key. The correct one is exactly there:
The 0.11 and later releases are signed by Wladimir J. van der Laan’s releases key with the fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964.
Finally, the key you imported is marked as [ unknown] because you haven't signed it. You can do that by using gpg --sign-key <user-id>, so it will be marked as [ full ], meaning you trust it.
Import keys from gist.github.com/laanwj/8368525bba4d89488dd5a0418884d91d
while read line; do gpg --keyserver keyserver.ubuntu.com --recv-key ${line:0:41}; done < keys.txt | curl -fsSL https://gist.githubusercontent.com/laanwj/8368525bba4d89488dd5a0418884d91d/raw/0ff5573bf5c0b932d2ca567f77fadf038816c7b8/keys.txt -o keys.txt

Read Old Transaction in Hyperledger Fabric

I wish I could read the payload of a transaction and be able to extract information. I created a new entry in the ledger by invoking my chaincode's "createPerson" method
+ peer chaincode invoke -o orderer.example.com:7050 --waitForEvent --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C mychannel -n agrifood -c '{"Args":["createPerson","ADMIN0","GIACOMO","BAIAMONTE","06/04/1992"]}' --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
+ res=0
+ set +x
2020-02-04 16:11:07.796 UTC [chaincodeCmd] ClientWait -> INFO 001 txid [2a46c341d130e02df9b8c874cc7c91623c09b83d92d5058d73e04ec29dcc4ccb] committed with status (VALID) at peer0.org1.example.com:7051
2020-02-04 16:11:07.796 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 002 Chaincode invoke successful. result: status:200
From the cli I invoke the following command
peer chaincode query -C "mychannel" -n qscc -c '{"Args":["GetTransactionByID", "mychannel", "2a46c341d130e02df9b8c874cc7c91623c09b83d92d5058d73e04ec29dcc4ccb"]}'
And I get the following output
�
�
�
�
��������" mychannel*#2a46c341d130e02df9b8c874cc7c91623c09b83d92d5058d73e04ec29dcc4ccb:
agrifood�
�
Org1MSP�-----BEGIN CERTIFICATE-----
MIICKTCCAdCgAwIBAgIRALz/BhhCP8Nix7wdAENP2iAwCgYIKoZIzj0EAwIwczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwMjA0MTYwNTAwWhcNMzAwMjAxMTYwNTAw
WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEOMAwGA1UECxMFYWRtaW4xHzAdBgNVBAMMFkFkbWluQG9y
ZzEuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREshakyciI
ajGOcnSafW1VeQRyrU1daKt8T8ChxOczK7ZmqtStqMoTV6p0taG+gEt6h4izjASU
GZoAu8TBwDlco00wSzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNV
HSMEJDAigCDuZFnU+UUOj0124lRSe7mdb4T2tx+JONu/JEBM9xuySzAKBggqhkjO
PQQDAgNHADBEAiB96pv1IaZaUVEN8mA0Reu7FbMu1pG5MpYRyMrbeXVOAwIgaSGP
XLrsTVPkalB8TY2xDU6QRoavFc4BaUCaJqq1o3E=
-----END CERTIFICATE-----
sy��
�&\K��^�ZCA!��
�
�
�
Org1MSP�-----BEGIN CERTIFICATE-----
MIICKTCCAdCgAwIBAgIRALz/BhhCP8Nix7wdAENP2iAwCgYIKoZIzj0EAwIwczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwMjA0MTYwNTAwWhcNMzAwMjAxMTYwNTAw
WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEOMAwGA1UECxMFYWRtaW4xHzAdBgNVBAMMFkFkbWluQG9y
ZzEuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREshakyciI
ajGOcnSafW1VeQRyrU1daKt8T8ChxOczK7ZmqtStqMoTV6p0taG+gEt6h4izjASU
GZoAu8TBwDlco00wSzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNV
HSMEJDAigCDuZFnU+UUOj0124lRSe7mdb4T2tx+JONu/JEBM9xuySzAKBggqhkjO
PQQDAgNHADBEAiB96pv1IaZaUVEN8mA0Reu7FbMu1pG5MpYRyMrbeXVOAwIgaSGP
XLrsTVPkalB8TY2xDU6QRoavFc4BaUCaJqq1o3E=
-----END CERTIFICATE-----
sy��
�&\K��^�ZCA!��
J
H
F
agrifood�6
createPerson
ADMIN0
GIACOMO
BAIAMONTE
06/04/1992�
�
~��VM<o.
�S�B���j�#��� �
��
agrifood�
ADMIN0
LASTPERSON�
LASTPERSON�0�^
PERSON0�S{"issuer":"ADMIN0","name":"GIACOMO","surname":"BAIAMONTE","birthdate":"06/04/1992"}
lscc
agrifoo�agrifood�0.1�
�
Org1MSP�-----BEGIN CERTIFICATE-----
MIICJzCCAc6gAwIBAgIQf0eP9nAcSiuwM74L4SdqWDAKBggqhkjOPQQDAjBzMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu
b3JnMS5leGFtcGxlLmNvbTAeFw0yMDAyMDQxNjA1MDBaFw0zMDAyMDExNjA1MDBa
MGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMQ0wCwYDVQQLEwRwZWVyMR8wHQYDVQQDExZwZWVyMC5vcmcx
LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEnWpcbxPA3Dt
bv5vmv8Rb9XkpFUGxLoe8Gm/GXgMIsEdYx9xm+B0TfSQhlex3+DsKxvO+mwfOy1R
XDlOUp6zT6NNMEswDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0j
BCQwIoAg7mRZ1PlFDo9NduJUUnu5nW+E9rcfiTjbvyRATPcbskswCgYIKoZIzj0E
AwIDRwAwRAIgV6UymH5EOJVn57/Q+PzNrTtl3kQthh9DRL9Z4Rd5/CkCIDgwhRbn
OCcot+ZMBe1l2TUJR30BSKSmnSfilMOYYpQy
-----END CERTIFICATE-----
G0E!��{��n n����u{���DFr� 4�ڨ &Y�f��'��ti�m:��9$��ܦr���S笕G0E!ۖ%��m�+!�l�k����A��O���cO/* $�w�a=B�����
��;�+I
u=N]��=D��
It seems that an incorrect encoding is used, the environment variable "LANG" of the cli is "en_US.UTF-8".
I believe that if the encoding was correct I could be able to parse some information such as the name of the method invoked by that transaction. Is it normal for the output to look like this? Are there other ways to read information from a transaction? Thanks in advance

openssl unknown option error

I ran this script below:
#!/bin/bash
keyFile=video.key
openssl rand 16 > $keyFile
encryptionKey=$(cat $keyFile | hexdump -e '16/1 "%02x"')
splitFilePrefix=stream
encryptedSplitFilePrefix=enc/${splitFilePrefix}
numberOfTsFiles=$(ls ${splitFilePrefix}*.ts | wc -l)
for (( i=1; i<$numberOfTsFiles; i++ ))
do
initializationVector=printf '%032x' $i
openssl aes-128-cbc -e -in ${splitFilePrefix}$i.ts -out ${encryptedSplitFilePrefix}$i.ts -nosalt -iv $initializationVector -K $encryptionKey
done
right after the execution, the bash gives me an error:
./script.sh: line 14: fg: no job control
unknown option '9d268d620c68938b4578c3f299c91a1a'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-S salt in hex is the next argument
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-nopad disable standard block padding
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb
-aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr
-aes-128-ecb -aes-128-gcm -aes-128-ofb
-aes-128-xts -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-gcm -aes-192-ofb
-aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cfb
-aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr
-aes-256-ecb -aes-256-gcm -aes-256-ofb
-aes-256-xts -aes128 -aes192
-aes256 -bf -bf-cbc
-bf-cfb -bf-ecb -bf-ofb
-blowfish -camellia-128-cbc -camellia-128-cfb
-camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb
-camellia-128-ofb -camellia-192-cbc -camellia-192-cfb
-camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb
-camellia-192-ofb -camellia-256-cbc -camellia-256-cfb
-camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb
-camellia-256-ofb -camellia128 -camellia192
-camellia256 -cast -cast-cbc
-cast5-cbc -cast5-cfb -cast5-ecb
-cast5-ofb -des -des-cbc
-des-cfb -des-cfb1 -des-cfb8
-des-ecb -des-ede -des-ede-cbc
-des-ede-cfb -des-ede-ofb -des-ede3
-des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1
-des-ede3-cfb8 -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-id-aes128-GCM -id-aes192-GCM -id-aes256-GCM
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
-rc4-hmac-md5 -seed -seed-cbc
-seed-cfb -seed-ecb -seed-ofb
I read openssl manual and thought either -K or -iv part is wrong, but couldn't figure out which option and why is it wrong
Your problem is that this line:
initializationVector=printf '%032x' $i
Should look like this:
initializationVector=$(printf '%032x' $i)
It made initializationVector empty.
You can find it out if you add set -x at the top, and then see exactly what is the command line you're attempting to run.
before fixing it looked like this:
openssl aes-128-cbc -e -in stream1.ts -out enc/stream1.ts -nosalt -iv -K 7aeb2faae0289b9828b2994f50a4cc3a
which made openssl command think that -K is the value for the -iv option, and the key itself is another command option.
Hence the error: unknown option '7aeb2faae0289b9828b2994f50a4cc3a' (in my case).
do
initializationVector=printf '%032x' $i
openssl aes-128-cbc -e -in ${splitFilePrefix}$i.ts -out ${encryptedSplitFilePrefix}$i.ts \
-nosalt -iv $initializationVector -K $encryptionKey
done
You are missing the leading dash on the cipher. Try -aes-128-cbc instead. From the enc(1) docs:
SYNOPSIS
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A]
[-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p]
[-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

Storing command output in bash "Here Document"

Below is a small bash script. The expected output after connecting to the server is to print Hello World and in the next line the current month and year - like Jan 2014. For using VARIABLE1 in the 'here document', I need dollar expansion, so the terminating character ~ is not quoted.
VARIABLE1="World"
ssh username#server.domain.com <<~
echo "Hello $VARIABLE1"
COMMAND1=`date +%b`
COMMAND2=$(date +%Y)
echo "$COMMAND1 $COMMAND2"
~
The actual output that I get is this :
Pseudo-terminal will not be allocated because stdin is not a terminal.
Password:
Hello World
When ssh is run in verbose mode, here is last part of the output:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: *****
debug1: Trying private key: *****
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: Final hpn_buffer_size = *****
debug1: HPN Disabled: 0, HPN Buffer Size: *****
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
Hello World
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 1552, received 2360 bytes, in 0.1 seconds
Bytes per second: sent 17253.2, received 26235.6
debug1: Exit status 0
Could somebody point out the bug here? Why doesn't it print Jan 2014?
There is some information here about how to force a tty, however, your script should work if you escape your characters properly:
VARIABLE1="World"
ssh username#server.domain.com <<EOF
echo Hello $VARIABLE1
COMMAND1=\`date +%b\`
COMMAND2=\$(date +%Y)
echo "\$COMMAND1 \$COMMAND2"
EOF
If you want to force the tty:
ssh -t -t user#domain.com <<EOF
echo Hello $VARIABLE1
COMMAND1=\`date +%b\`
COMMAND2=\$(date +%Y)
echo "\$COMMAND1 \$COMMAND2"
exit
EOF
Alternatively, you could just send the script as an argument to ssh:
ssh user#domain.com "echo Hello $VARIABLE1;COMMAND1=\`date +%b\`; COMMAND2=\$(date +%Y); echo \$COMMAND1 \$COMMAND2"
EDIT: If you want to disable the message about the Pseudo-terminal allocation use "-T":
VARIABLE1="World"
ssh -T username#server.domain.com <<EOF
echo Hello $VARIABLE1
COMMAND1=\`date +%b\`
COMMAND2=\$(date +%Y)
echo "\$COMMAND1 \$COMMAND2"
EOF

Integrity Measurement Architecture(IMA) & Linux Extended Verification Module (EVM)

I am trying to activate IMA appraisal & EVM modules.
After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot option in a first time like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"
and after running this command to generate xattr security.ima and security.evm
find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;
like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"
I try to create digital signature of xattr like it's recommended on this tutorial
Tutorial to IMA & EVM
Every steps have been followed, creating RSA keys, loading them early at boot in initramfs with keyctl.
Session Keyring
-3 --alswrv 0 65534 keyring: _uid_ses.0
977514165 --alswrv 0 65534 \_ keyring: _uid.0
572301790 --alswrv 0 0 \_ user: kmk-user
126316032 --alswrv 0 0 \_ encrypted: evm-key
570886575 --alswrv 0 0 \_ keyring: _ima
304346597 --alswrv 0 0 \_ keyring: _evm
However as soon as I reboot my OS when I try to read a signed and hashed file I get the error "Permission Denied"
Running dmesg tells me :
[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh" dev="sda1" ino=546526 res=0
Have you any idea why i get invalid HMAC ?
They keys are loaded like the tutorial says...
#!/bin/sh -e
PREREQ=""
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
grep -q "ima=off" /proc/cmdline && exit 1
mount -n -t securityfs securityfs /sys/kernel/security
IMA_POLICY=/sys/kernel/security/ima/policy
LSM_POLICY=/etc/ima_policy
grep -v "^#" $LSM_POLICY >$IMA_POLICY
# import EVM HMAC key
keyctl show |grep -q kmk || keyctl add user kmk "testing123" #u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" #u
#keyctl revoke kmk
# import Module public key
mod_id=`keyctl newring _module #u`
evmctl import /etc/keys/pubkey_evm.pem $mod_id
# import IMA public key
ima_id=`keyctl newring _ima #u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm #u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
# enable module checking
#echo "1" > /sys/kernel/security/module_check
Thanks for your help
Solved, new kernel use HMAC v2 and you have to activate asymmetric key when you compile kernel.
cat .config should have this entries:
CONFIG_EVM_HMAC_VERSION=2
CONFIG_ASYMMETRIC_KEY_TYPE=y
Then when you hash or sign a file use
evmctl -u - -x --imasig/--imahash $file
As well you should have create the asymetric keys and load them in _evm and _ima keyring with keyctl with initramfs.

Resources