On Mon, 10 Nov 2014 12:59, pe...@digitalbrains.com said: > If GnuPG encounters this situation, but file.ext.sig is not a detached > signature, it could display a big fat warning: > > WARNING: file.ext.sig is NOT a detached signature; the file file.ext is > NOT VERIFIED!
I think this is what I will implement. In addition verifying a detached signature in --batch mode will required that both files are given and fail otherwise. After all the mode where gpg figures out the data file is a convenience feature which is indicated by gpg: assuming signed data in 'FILE' in --verbose mode. This will break scripts using the abbreviated command line version but it is better they break for a valid signature than accepting faked signatures. Note that this bug also affects gpgv. > This does create some related issues: > > gnupg_2.1.0.tar.bz2 > gnupg-2.1.0.tar.bz2.sig That is an entire different thing and not a problem of gpg. You have the very same problem with all tools and URLs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users