[Announce] GnuPG 2.1.0 "modern" released

Peter Lebbing peter at digitalbrains.com
Sun Nov 9 11:18:30 CET 2014

Hash: SHA1

On 07/11/14 22:21, Simon Nicolussi wrote:
> Invoking GnuPG that way is insecure without knowing the contents of the 
> signature file. An attacker could have replaced it by something that's not,
> in fact, a detached signature.

Oops! Very nice find, kudos!

> Future announcements should call --verify with two files as arguments; the
> same goes for https://www.gnupg.org/download/integrity_check.html:
>> gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2.sig

However, here's a small mistake. This should read:

gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2

For people not acquainted with this syntax: when --verify has multiple
arguments, the first one is the detached signature and the remaining arguments
are the signed files.

And finally, there is another little thing wrong with the announcement:

> GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or direct
> from its primary FTP server.  The list of mirrors can be found at
> https://gnupg.org/mirrors.html .  Note that GnuPG is not available at
> ftp.gnu.org.

That is the list of WWW mirrors. It seems more useful to link to
https://gnupg.org/download/mirrors.html .



- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list