Serious problem with detached sigs
Werner Koch
wk@gnupg.org
Thu, 30 Nov 2000 09:40:16 +0100
On Wed, 29 Nov 2000, Rene Puls wrote:
> to verify the detached signature against the signed file. If you now
> replace the "detached_sig" file with a full, clear-signed message
Does not need to be a cleartext file, a standard sig is sufficient
to reveal this bug.
> A fix for this should be quite simple, by making sure that the
> detached_sig file given to the --verify command is *indeed* a detached
I won't say that it is easy, but it has to be done. I am working on
it. Frankly, the whole logic in mainproc.c should be reworked; all
that autmagically processing depending on the data turns out to be a
Bad Thing.
Thanks for pointing this out,
Werner