[Announce] GnuPG 2.1.0 "modern" released
Werner Koch
wk at gnupg.org
Mon Nov 10 09:48:28 CET 2014
On Fri, 7 Nov 2014 22:21, sinic at sinic.name said:
> Invoking GnuPG that way is insecure without knowing the contents of the
> signature file. An attacker could have replaced it by something that's
> not, in fact, a detached signature.
I guess that this bug exists at least since 1.0.4 and I consider this a
serious flaw. I am thinking about a proper solution which limts
breakage.
As a quick minimal fix I changed the instructions on the website.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list