Serious problem with detached sigs
Dale Harris
rodmur at piratehaven.org
Wed Nov 29 18:20:45 CET 2000
On Wed, Nov 29, 2000 at 07:55:33PM +0100, Rene Puls elucidated:
> This means that someone could, for example, modify the
> gnupg-1.0.4.tar.gz file on the FTP server, replace the .sig file with
> any message that is signed by Werner (no offense :) and nobody would
> notice, because the --verify command will correctly verify the
> detached signature (but as a full signed message, not as a detached
> signature).
>
I thought there always was some sort of checksum being done on a file instead
of just a signature. Is that not the case?
Dale
More information about the Gnupg-devel
mailing list