Detached signature ambiguity

Werner Koch wk at gnupg.org
Tue Nov 11 09:52:44 CET 2014


On Mon, 10 Nov 2014 12:59, peter at digitalbrains.com said:

> If GnuPG encounters this situation, but file.ext.sig is not a detached
> signature, it could display a big fat warning:
>
> WARNING: file.ext.sig is NOT a detached signature; the file file.ext is
> NOT VERIFIED!

I think this is what I will implement.  In addition verifying a detached
signature in --batch mode will required that both files are given and
fail otherwise.  After all the mode where gpg figures out the data file
is a convenience feature which is indicated by

 gpg: assuming signed data in 'FILE'

in --verbose mode.  This will break scripts using the abbreviated
command line version but it is better they break for a valid signature
than accepting faked signatures.  Note that this bug also affects gpgv.

> This does create some related issues:
>
> gnupg_2.1.0.tar.bz2
> gnupg-2.1.0.tar.bz2.sig

That is an entire different thing and not a problem of gpg.  You have
the very same problem with all tools and URLs.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list