Detached signature ambiguity
Werner Koch
wk at gnupg.org
Tue Nov 11 09:52:44 CET 2014
On Mon, 10 Nov 2014 12:59, peter at digitalbrains.com said:
> If GnuPG encounters this situation, but file.ext.sig is not a detached
> signature, it could display a big fat warning:
>
> WARNING: file.ext.sig is NOT a detached signature; the file file.ext is
> NOT VERIFIED!
I think this is what I will implement. In addition verifying a detached
signature in --batch mode will required that both files are given and
fail otherwise. After all the mode where gpg figures out the data file
is a convenience feature which is indicated by
gpg: assuming signed data in 'FILE'
in --verbose mode. This will break scripts using the abbreviated
command line version but it is better they break for a valid signature
than accepting faked signatures. Note that this bug also affects gpgv.
> This does create some related issues:
>
> gnupg_2.1.0.tar.bz2
> gnupg-2.1.0.tar.bz2.sig
That is an entire different thing and not a problem of gpg. You have
the very same problem with all tools and URLs.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list