[Announce] GnuPG 2.1.0 "modern" released
Peter Lebbing
peter at digitalbrains.com
Sun Nov 9 11:18:30 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/11/14 22:21, Simon Nicolussi wrote:
> Invoking GnuPG that way is insecure without knowing the contents of the
> signature file. An attacker could have replaced it by something that's not,
> in fact, a detached signature.
Oops! Very nice find, kudos!
> Future announcements should call --verify with two files as arguments; the
> same goes for https://www.gnupg.org/download/integrity_check.html:
>> gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2.sig
However, here's a small mistake. This should read:
gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2
For people not acquainted with this syntax: when --verify has multiple
arguments, the first one is the detached signature and the remaining arguments
are the signed files.
And finally, there is another little thing wrong with the announcement:
> GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or direct
> from its primary FTP server. The list of mirrors can be found at
> https://gnupg.org/mirrors.html . Note that GnuPG is not available at
> ftp.gnu.org.
That is the list of WWW mirrors. It seems more useful to link to
https://gnupg.org/download/mirrors.html .
HTH,
Peter.
- --
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list