Option in gpg to copy STDIN to STDOUT instead of nowhere.

Werner Koch wk at gnupg.org
Wed Dec 20 14:49:22 CET 2023

On Tue, 19 Dec 2023 14:42, Andrew Gallagher said:

> Transparently decrypting inline messages opens you up to all sorts of
> smuggling attacks, where it is not clear from the output which parts


> while true; do
> 	IFS= read -r line
> 	while [[ $line != “-----BEGIN PGP MESSAGE-----” ]]; do
> 		echo “$line”
> 		IFS= read -r line
> 	done
> 	echo “<<<<<BEGIN DECRYPTED MESSAGE>>>>>"

FWIW, here we get into the first trouble.  Inserting a plaintext
followed by some pages of white space or several FF after the BEGIN
header followed by another BEGIN header allows to push something else
underneath a signed (and encrypted) message.

That is also why PGP/MIME is a better way to send mails than inline PGP.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20231220/ad20fc45/attachment.sig>

More information about the Gnupg-devel mailing list