GnuPG does not detect injection of unsigned data
dshaw at jabberwocky.com
Fri Jun 2 14:56:32 CEST 2006
On Thu, Jun 01, 2006 at 04:33:03PM +0200, gpgdev.5.signal11 at spamgourmet.com wrote:
> From the background information in the announcement, it seems that this
> problem does not affect cleartext signatures.
> Am I correct, or is this a misinterpretation? The announcement sounds
> like gpg would still correctly verify (only) data covered by the signature, but then
> output data which is not covered by the signature. So it would still be safe to
> assume that anything between -----BEGIN PGP SIGNED MESSAGE----- and the
> following -----BEGIN PGP SIGNATURE----- is correctly validated(?).
The problem does not affect cleartext signatures.
Just for reference, the problem also does not affect signed software
tarballs (i.e. detached signatures), or PGP/MIME signed emails
(they're actually detached signatures).
The problem *might* affect PGP/MIME signed+encrypted emails,
signed+encrypted files in general, or unencrypted but binary (not
cleartext) signed messages.
More information about the Gnupg-devel