-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/11/14 22:21, Simon Nicolussi wrote: > Invoking GnuPG that way is insecure without knowing the contents of the > signature file. An attacker could have replaced it by something that's not, > in fact, a detached signature.
Oops! Very nice find, kudos! > Future announcements should call --verify with two files as arguments; the > same goes for https://www.gnupg.org/download/integrity_check.html: >> gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2.sig However, here's a small mistake. This should read: gpg --verify gnupg-2.1.0.tar.bz2.sig gnupg-2.1.0.tar.bz2 For people not acquainted with this syntax: when --verify has multiple arguments, the first one is the detached signature and the remaining arguments are the signed files. And finally, there is another little thing wrong with the announcement: > GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or direct > from its primary FTP server. The list of mirrors can be found at > https://gnupg.org/mirrors.html . Note that GnuPG is not available at > ftp.gnu.org. That is the list of WWW mirrors. It seems more useful to link to https://gnupg.org/download/mirrors.html . HTH, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
