Detached signature ambiguity
dougb at dougbarton.email
Thu Nov 13 20:16:45 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 11/13/14 9:22 AM, Daniel Kahn Gillmor wrote:
| On 11/13/2014 07:01 AM, Werner Koch wrote:
|> gpg: Make the use of "--verify FILE" for detached sigs harder.
| thanks for doing this, Werner.
|> Now waiting which tools or scripts will break. I checked a few
|> (including dpkg) and they do the Right Thing.
| i'm glad to hear this.
|> Shall this be ported to 2.0 and 1.4 and fixes released? I guess
| yes, please. This is an important security hardening, and it
| shouldn't depend on which branch people are using.
| If people have tools that break because of this change, those tools
| were probably vulnerable to even worse breakage (silent breakage
| where things they thought were validated weren't actually
| validated), so this is a valuable fix, even if there's short-term
+1 to all of dkg's points.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Gnupg-users