On 10/11/14 12:02, Nicholas Cole wrote: > So the confusion is > that you have one single command that deals with verifying both a > detached signature and with a file that contains a signature?
Yes. > Is the best fix for this to introduce two new commands That seems extreme. Although you could add commands that make it explicit what you want, removing the existing, ambiguous one would cause massive breakage of deployed scripts. Werner is always very cautious about doing that. Maybe this avenue of thought can help come up with a good solution. When people verify a detached signature, they usually have two files named: file.ext file.ext.sig If GnuPG encounters this situation, but file.ext.sig is not a detached signature, it could display a big fat warning: WARNING: file.ext.sig is NOT a detached signature; the file file.ext is NOT VERIFIED! This does create some related issues: gnupg_2.1.0.tar.bz2 gnupg-2.1.0.tar.bz2.sig or gnupg_2,1.0.tar.bz2.sig These files can trick people into thinking they have the same filename. This suggests this is either not foolproof or you need normalisation. The extent of normalisation seems to make this unattainable. And combining Unicode characters make matters even worse. So it definitely has problems. But it might help think of the most proper solution. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
