using verify over stdin

Werner Koch wk at
Mon Nov 4 17:31:01 CET 2002

On Mon, 04 Nov 2002 06:18:05 -0800, Justin Karneges said:

>   gpg --armor --verify - -

You should not do it.  The above syntax does not work correctly and
might be vulnerable to attacks.  You should always know whether you
have a detached signature (2 files) or a binary or cleartext
signature.  The above syntax is only useful for detached signatures
and instead of piping the signature and the data to stdinf, you should
either use files or

  gpg  --enable-special-filenames --verify - '-&5' <sig 5<data

With --enable-special-filenames you may - at most places - give an
open file descriptor number prefixed with "-&" instead of a filename.
"-" is the usual abbreviation for '-&0' or '-&1' depending on context.



More information about the Gnupg-devel mailing list