diff options
| author | Werner Koch <[email protected]> | 2014-11-13 16:39:31 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-11-13 16:39:31 +0000 |
| commit | 69384568f66a48eff3968bb1714aa13925580e9f (patch) | |
| tree | fbb539760619692e2bc4069a15869889335edc3d /doc | |
| parent | gpg: Fix a missing LF in debug output. (diff) | |
| download | gnupg-69384568f66a48eff3968bb1714aa13925580e9f.tar.gz gnupg-69384568f66a48eff3968bb1714aa13925580e9f.zip | |
gpg: Make the use of "--verify FILE" for detached sigs harder.
* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--
Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0. :-(
What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode. This should exhibit
problems in scripts which use this insecure practice. We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:
gpgv: Good signature from "Werner Koch (dist sig)"
gpgv: WARNING: not a detached signature; \
file 'gnupg-2.1.0.tar.bz2' was NOT verified!
We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.
Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/gpg.texi | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index 499df8770..634b4e26b 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -214,16 +214,22 @@ files which don't begin with an encrypted message. @item --verify @opindex verify -Assume that the first argument is a signed file or a detached signature -and verify it without generating any output. With no arguments, the -signature packet is read from STDIN. If only a sigfile is given, it may -be a complete signature or a detached signature, in which case the -signed stuff is expected in a file without the ".sig" or ".asc" -extension. With more than 1 argument, the first should be a detached -signature and the remaining files are the signed stuff. To read the -signed stuff from STDIN, use @samp{-} as the second filename. For -security reasons a detached signature cannot read the signed material -from STDIN without denoting it in the above way. +Assume that the first argument is a signed file and verify it without +generating any output. With no arguments, the signature packet is +read from STDIN. If only a one argument is given, it is expected to +be a complete signature. + +With more than 1 argument, the first should be a detached signature +and the remaining files ake up the the signed data. To read the signed +data from STDIN, use @samp{-} as the second filename. For security +reasons a detached signature cannot read the signed material from +STDIN without denoting it in the above way. + +Note: If the option @option{--batch} is not used, @command{@gpgname} +may assume that a single argument is a file with a detached signature +and it will try to find a matching data file by stripping certain +suffixes. Using this historical feature to verify a detached +signature is strongly discouraged; always specify the data file too. Note: When verifying a cleartext signature, @command{gpg} verifies only what makes up the cleartext signed data and not any extra data |