On Fri,  7 Nov 2014 22:21, si...@sinic.name said:

> Invoking GnuPG that way is insecure without knowing the contents of the
> signature file. An attacker could have replaced it by something that's
> not, in fact, a detached signature.

I guess that this bug exists at least since 1.0.4 and I consider this a
serious flaw.  I am thinking about a proper solution which limts
breakage.

As a quick minimal fix I changed the instructions on the website.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to