5e2899097a
It has been pointed out that there is another bug in the signature verification code of GnuPG. * This can easily lead to false positives * All versions of GnuPG released before today are vulnerable! To check a detached singature you normally do this: gpg --verify foo.sig foo.txt The problem here is that someone may replace foo.sig with a standard signature containing some arbitrary signed text and its signature, and then modify foo.txt - GnuPG does not detect this - Ooops. The solution for this problem ist not easy and needs a change in the semantics of the --verify command: It will not any longer be possible to do this: gpg --verify foo.sig <foo.txt Instead you have to use this gpg --verify foo.sig - <foo.txt The difference here is that gpg sees 2 files on the command lines and thereby knows that it should check a detached signature. We really need this information and there is no way to avoid that change, sorry. You should make sure that you never use the first form, because this will lead to false positives when foo.sig is not a detached signature - gnupg does detect the other case and warns you, but this is not sufficient. If you use GnuPG from other applications, please change it. ok markus@ |
||
---|---|---|
.. | ||
files | ||
patches | ||
pkg | ||
Makefile |