Detached signature ambiguity

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Nov 13 18:22:07 CET 2014


On 11/13/2014 07:01 AM, Werner Koch wrote:
>     gpg: Make the use of "--verify FILE" for detached sigs harder.

thanks for doing this, Werner.

> Now waiting which tools or scripts will break.  I checked a few
> (including dpkg) and they do the Right Thing.

i'm glad to hear this.

> Shall this be ported to 2.0 and 1.4 and fixes released?  I guess yes.

yes, please.  This is an important security hardening, and it shouldn't
depend on which branch people are using.

If people have tools that break because of this change, those tools were
probably vulnerable to even worse breakage (silent breakage where things
they thought were validated weren't actually validated), so this is a
valuable fix, even if there's short-term difficulty.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141113/d12277ba/attachment.sig>


More information about the Gnupg-users mailing list