On Fri, 7 Nov 2014 22:21, si...@sinic.name said: > Invoking GnuPG that way is insecure without knowing the contents of the > signature file. An attacker could have replaced it by something that's > not, in fact, a detached signature.
I guess that this bug exists at least since 1.0.4 and I consider this a serious flaw. I am thinking about a proper solution which limts breakage. As a quick minimal fix I changed the instructions on the website. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users