Serious problem with detached sigs

Werner Koch wk at gnupg.org
Thu Nov 30 09:40:16 CET 2000


On Wed, 29 Nov 2000, Rene Puls wrote:

> to verify the detached signature against the signed file. If you now
> replace the "detached_sig" file with a full, clear-signed message

Does not need to be a cleartext file, a standard sig is sufficient
to reveal this bug.

> 	A fix for this should be quite simple, by making sure that the
> detached_sig file given to the --verify command is *indeed* a detached

I won't say that it is easy, but it has to be done.  I am working on
it.  Frankly, the whole logic in mainproc.c should be reworked; all
that autmagically processing depending on the data turns out to be a
Bad Thing.

Thanks for pointing this out,


  Werner



More information about the Gnupg-devel mailing list