--verify with foo.gpg file does not assume signed data in foo?

Peter Lebbing peter at digitalbrains.com
Sun Feb 18 22:37:59 CET 2018


On 18/02/18 20:45, Ray Satiro via Gnupg-users wrote:
> I know for xxx.sig
> files it would strip that extension and then "gpg: assuming signed data
> in xxx"

I'd like to suggest you shouldn't do it anyway. If somebody supplies you a
non-detached signed file with just a subtly different name, the only difference
will be this line "assuming..." is missing, it will still report a valid
signature. If you're human, like me, you won't notice, but just think "ha, a
valid signature" and continue to use the non-verified file. At this point, your
attacker has already managed to serve you the wrong .sig file, they also
probably supplied you the wrong file it was supposed to have signed.

I'm saying "a subtly different name" because otherwise GnuPG will still warn you:
gpg: WARNING: not a detached signature; file 'xxx' was NOT verified!

But it can't catch those cases where look-alike characters are used, and Unicode
is a vast collection of sometimes similar shapes.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180218/00bce860/attachment.sig>


More information about the Gnupg-users mailing list