Control: reassign -1 gnupg
Control: forcemerge -1 704645
Control: severity -1 critical
On Thu, Apr 04, 2013 at 12:24:26AM +0200, Bastian Blank wrote:
> On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
> > So one can prepend a InRelease file looking like
> > ----
> > -----BEGIN PGP SIGNED MESSAGE----- NOT
> > Hash: SHA1
> >
> > <insert malicious Release file contents here>
> >
> > -----BEGIN PGP SIGNATURE----- NOT
> > ----
>
> This is a bug in gnupg, this is clearly no valid file clearsign message
> anymore, see RFC 4880, section 7.
I decided that this is no bug in cdebootstrap at all. cdebootstrap asks
gnupg to verify the _file_:
| gpgv pgpfile
| Verify the signature of the file.
gpgv answers that the _file_ was verified. But actually only a _part_ of
it was actually signed, so this answer is incorrect.
Nothing in the documentation tells anything different.
Bastian
--
Actual war is a very messy business. Very, very messy business.
-- Kirk, "A Taste of Armageddon", stardate 3193.0
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
