Detached signature ambiguity

Doug Barton dougb at dougbarton.email
Thu Nov 13 20:16:45 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/13/14 9:22 AM, Daniel Kahn Gillmor wrote:
| On 11/13/2014 07:01 AM, Werner Koch wrote:
|> gpg: Make the use of "--verify FILE" for detached sigs harder.
|
| thanks for doing this, Werner.
|
|> Now waiting which tools or scripts will break.  I checked a few
|> (including dpkg) and they do the Right Thing.
|
| i'm glad to hear this.
|
|> Shall this be ported to 2.0 and 1.4 and fixes released?  I guess
|> yes.
|
| yes, please.  This is an important security hardening, and it
| shouldn't depend on which branch people are using.
|
| If people have tools that break because of this change, those tools
| were probably vulnerable to even worse breakage (silent breakage
| where things they thought were validated weren't actually
| validated), so this is a valuable fix, even if there's short-term
| difficulty.

+1 to all of dkg's points.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJUZQOdAAoJEFzGhvEaGryE8csIAILZzFlDXwELtfN7OHUXLqTZ
5H6Zzebx5c+DcxsF/7Yks/jzPUQ+AnMCWE52DEuRSQTPTRAhTei+sWueNlF2b/1h
Yh6WwfLONtoX+Axk7crgjGkHANJaLN/tb7EllNxUsTOtHK84T7k2X5wf8acmgW0a
L0C9pXQ/piK7XZCMB0wuqcjaShdorD0GRUne+5h5+p3KHP4eb8qSYfORdL10l/lk
fu3/4ARGqIf1rIIEFQc2OP5KX+ElD3K84SX1ff915S07bdPlTnYTKZUWxmqROgOw
UP96HjHdSwVXmo50hizozzfHj4S59tq1ttmes0YUe3E+eDhieg7/wqTqEm5Xwi4=
=dT7B
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list