verifying a file
Kent Tong
kent@cpttm.org.mo
Fri Nov 23 02:06:01 2001
> On Thu, 22 Nov 2001 18:45:25 +0800, Kent Tong said:
>
> > I notice that when I verify a detached signature, gpg will not
> > check the integrity of my public keyrings (because it doesn't
> > ask for my passphrase). My question is, what if someone puts some
>
> This is pointless. If someone is able to modify your keyring he can
> do all kind of stuff - including sniffing your passphrase and
> trojaning your binaries.
It means that root can do anything he wants? On Windows, it is even
more dangerous as by default the keyrings are stored in c:\gnupg
where everyone can access? About trojaning the binaries, how to
best alleviate the problem?
I believe that we can sign the public keys. When are these signatures
checked? It seems they are not used at all.