sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend
andrewg
andrewg at andrewg.com
Tue Aug 6 13:28:14 CEST 2024
On 2024-08-06 10:32, Jakob Bohm via Gnupg-users wrote:
>
> For issues such as the above, the proper script-friendly solution is to
> enhance gpgv itself with command line options to specify the desired
> trust requirements. For the multi-signer scenario above, an option
> could
> be set to
>
> --must-match-percent 90 --ignore-unknown
I think using percentages rather than absolute values here would be
dangerous. If this is a percentage of the number of keys in the keyring,
it would make updating the membership of the keyring a potential DOS
event. If it is a percentage of the number of signatures on the message,
an attacker who compromises just one signing key could distribute a
package signed by just that key, and 100% of attached signatures would
verify.
A
More information about the Gnupg-users
mailing list