Andy McKnight wrote: > Is this behaviour by design? Are GPG users supposed to be aware that > this line is untrusted?
The behavior is specified by RFC4880 and is not a security risk. As an example, I have a small CSS file here that I have clearsigned. The opening looks like: *-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, World! /************************************************************************* Enigmail New Site - Main CSS (for SCREEN display on recent browsers) (I've added an asterisk to the beginning of the -----BEGIN block, to prevent mail clients from misreading it as a real OpenPGP stanza.) Now I try to verify it with: job:~ rjh$ gpg main.css.asc gpg: invalid armor header: Hello, World!\n File `main.css' exists. Overwrite? (y/N) y gpg: Signature made Mon May 5 04:38:51 2008 CDT using RSA key ID FEAF8109 gpg: Good signature from "Robert J. Hansen <[EMAIL PROTECTED]>" gpg: aka "Robert J. Hansen" Looking at the top of main.css, what I see is: /************************************************************************* Enigmail New Site - Main CSS (for SCREEN display on recent browsers) ... The injected text is stripped. It is never presented to the user as verified text. If a mail client presents the original message, rather than the message as GnuPG has verified it, then that is a major HCI issue. I would suggest filing a bug with the maintainer of your mail client. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
