On 24/01/15 20:25, Peter Lebbing wrote: > On 24/01/15 20:05, Philip Jackson wrote: >> Using GPA 0.9.4 in linux. >> >> I downloaded a file and its signature as a .asc from a website that I have >> used many times. While looking at the spelling of the filename, I >> accidentally clicked on the signature file and launched GPA so decided to >> use it to verify the download. GPA gave me a 'bad' status. > > I think this might be related to this: > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051430.html > > Quoting that mail: > >> Now waiting which tools or scripts will break. I checked a few (including >> dpkg) and they do the Right Thing. > > Did the tool GPA just break? :). What is the proper solution anyways? A file > picker dialog for the signed data? >
I doubt the failure is anything caused by gnupg 2.1 (unless maybe the file I downloaded was signed under 2.1. I am using 2.0.26 and 1.4.16 and I have signed and tested quite a few files trying to find out why GPA will verify some but not others. The only ones I can sign (with cli) and then fail to verify with GPA are when I use the "gpg --detach-sign -a" command and option. Such signature files will verify perfectly well with the command line but not with the GPA gui. --batch doesn't come into the question either. And in every case, the matching data file.txt was in the same directory together with the signature file.txt.asc file. Other signature files (.sig, .gpg) were not affected. My point was that when a file with name like filename.tar.xz.asc is downloaded with its data file of similar name and someone tries to verify it using GPA, they could get a false 'bad' signature response from GPA. Philip Philip
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
