Perl, GPG, and --passphrase-fd

Anthony E . Greene
Sat Jun 9 22:52:01 2001

On Sat, 09 Jun 2001 16:21:28 Christopher Maujean wrote:

>1. Having a passphrase hard coded, or having no passphrase at all means,=
>IMHO, that the origin of the message is untrusted, and unverifiable I=20
>can't trust that the signing key wasn't stolen and is being used by my=20
>arch-nemisis to impersonate my friend or business associate.
This is exactly why having an application on an untrusted machine sign encrypted messages is a waste of time. If you want to trust the data the app produces, you just have to safeguard the machine. A GPG sig doesn't add any value unless you trust the machine that produced it. Tony --=20 Anthony E. Greene <> <> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 MSN: te_greene Linux. The choice of a GNU Generation. <>