GPA fails to verify certain .asc files

[Philip Jackson]

On 24/01/15 20:25, Peter Lebbing wrote:
> On 24/01/15 20:05, Philip Jackson wrote:
>> Using GPA 0.9.4 in linux.
>>
>> I downloaded a file and its signature as a .asc from a website that I have
>> used many times.  While looking at the spelling of the filename, I
>> accidentally clicked on the signature file and launched GPA so decided to
>> use it to verify the download.  GPA gave me a 'bad' status.
> 
> I think this might be related to this:
> 
> http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051430.html
> 
> Quoting that mail:
> 
>> Now waiting which tools or scripts will break.  I checked a few (including
>> dpkg) and they do the Right Thing.
> 
> Did the tool GPA just break? :). What is the proper solution anyways? A file
> picker dialog for the signed data?
> 

I doubt the failure is anything caused by gnupg 2.1 (unless maybe the file I
downloaded was signed under 2.1.

I am using 2.0.26 and 1.4.16 and I have signed and tested quite a few files
trying to find out why GPA will verify some but not others.

The only ones I can sign (with cli)  and then fail to verify with GPA are when I
use the  "gpg --detach-sign -a" command and option.  Such signature files will
verify perfectly well with the command line but not with the GPA gui.

--batch doesn't come into the question either.  And in every case, the matching
data file.txt was in the same directory together with the signature file.txt.asc
file.

Other signature files (.sig, .gpg) were not affected.

My point was that when a file with name like filename.tar.xz.asc is downloaded
with its data file of similar name and someone tries to verify it using GPA,
they could get a false 'bad' signature response from GPA.

Philip

Philip


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150124/5c60a3c9/attachment.sig>