Serious problem with detached sigs

Dale Harris rodmur at
Wed Nov 29 18:20:45 CET 2000

On Wed, Nov 29, 2000 at 07:55:33PM +0100, Rene Puls elucidated:
> 	This means that someone could, for example, modify the
> gnupg-1.0.4.tar.gz file on the FTP server, replace the .sig file with
> any message that is signed by Werner (no offense :) and nobody would
> notice, because the --verify command will correctly verify the
> detached signature (but as a full signed message, not as a detached
> signature).

I thought there always was some sort of checksum being done on a file instead
of just a signature.  Is that not the case?  


More information about the Gnupg-devel mailing list