Detached signature ambiguity
wk at gnupg.org
Tue Nov 11 09:52:44 CET 2014
On Mon, 10 Nov 2014 12:59, peter at digitalbrains.com said:
> If GnuPG encounters this situation, but file.ext.sig is not a detached
> signature, it could display a big fat warning:
> WARNING: file.ext.sig is NOT a detached signature; the file file.ext is
> NOT VERIFIED!
I think this is what I will implement. In addition verifying a detached
signature in --batch mode will required that both files are given and
fail otherwise. After all the mode where gpg figures out the data file
is a convenience feature which is indicated by
gpg: assuming signed data in 'FILE'
in --verbose mode. This will break scripts using the abbreviated
command line version but it is better they break for a valid signature
than accepting faked signatures. Note that this bug also affects gpgv.
> This does create some related issues:
That is an entire different thing and not a problem of gpg. You have
the very same problem with all tools and URLs.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users