Detached signature ambiguity (was: [Announce] GnuPG 2.1.0 "modern" released)

[Peter Lebbing]

On 10/11/14 12:02, Nicholas Cole wrote:
> So the confusion is
> that you have one single command that deals with verifying both a
> detached signature and with a file that contains a signature?

Yes.

> Is the best fix for this to introduce two new commands

That seems extreme. Although you could add commands that make it
explicit what you want, removing the existing, ambiguous one would cause
massive breakage of deployed scripts. Werner is always very cautious
about doing that.

Maybe this avenue of thought can help come up with a good solution. When
people verify a detached signature, they usually have two files named:

file.ext
file.ext.sig

If GnuPG encounters this situation, but file.ext.sig is not a detached
signature, it could display a big fat warning:

WARNING: file.ext.sig is NOT a detached signature; the file file.ext is
NOT VERIFIED!

This does create some related issues:

gnupg_2.1.0.tar.bz2
gnupg-2.1.0.tar.bz2.sig

or

gnupg_2,1.0.tar.bz2.sig

These files can trick people into thinking they have the same filename.
This suggests this is either not foolproof or you need normalisation.
The extent of normalisation seems to make this unattainable. And
combining Unicode characters make matters even worse.

So it definitely has problems. But it might help think of the most
proper solution.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>