mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-02 22:46:30 +02:00
gpg: Make the use of "--verify FILE" for detached sigs harder.
* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--
Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0. :-(
What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode. This should exhibit
problems in scripts which use this insecure practice. We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:
gpgv: Good signature from "Werner Koch (dist sig)"
gpgv: WARNING: not a detached signature; \
file 'gnupg-2.1.0.tar.bz2' was NOT verified!
We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.
Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 69384568f6
)
Updated doc/gpg.texi.
This commit is contained in:
parent
42d2474a02
commit
fbb50867f8
5 changed files with 129 additions and 47 deletions
27
doc/gpg.texi
27
doc/gpg.texi
|
@ -198,16 +198,22 @@ files which don't begin with an encrypted message.
|
|||
|
||||
@item --verify
|
||||
@opindex verify
|
||||
Assume that the first argument is a signed file or a detached signature
|
||||
and verify it without generating any output. With no arguments, the
|
||||
signature packet is read from STDIN. If only a sigfile is given, it may
|
||||
be a complete signature or a detached signature, in which case the
|
||||
signed stuff is expected in a file without the ".sig" or ".asc"
|
||||
extension. With more than 1 argument, the first should be a detached
|
||||
signature and the remaining files are the signed stuff. To read the
|
||||
signed stuff from STDIN, use @samp{-} as the second filename. For
|
||||
security reasons a detached signature cannot read the signed material
|
||||
from STDIN without denoting it in the above way.
|
||||
Assume that the first argument is a signed file and verify it without
|
||||
generating any output. With no arguments, the signature packet is
|
||||
read from STDIN. If only a one argument is given, it is expected to
|
||||
be a complete signature.
|
||||
|
||||
With more than 1 argument, the first should be a detached signature
|
||||
and the remaining files ake up the the signed data. To read the signed
|
||||
data from STDIN, use @samp{-} as the second filename. For security
|
||||
reasons a detached signature cannot read the signed material from
|
||||
STDIN without denoting it in the above way.
|
||||
|
||||
Note: If the option @option{--batch} is not used, @command{gpg}
|
||||
may assume that a single argument is a file with a detached signature
|
||||
and it will try to find a matching data file by stripping certain
|
||||
suffixes. Using this historical feature to verify a detached
|
||||
signature is strongly discouraged; always specify the data file too.
|
||||
|
||||
Note: When verifying a cleartext signature, @command{gpg} verifies
|
||||
only what makes up the cleartext signed data and not any extra data
|
||||
|
@ -217,6 +223,7 @@ out the actual signed data; but there are other pitfalls with this
|
|||
format as well. It is suggested to avoid cleartext signatures in
|
||||
favor of detached signatures.
|
||||
|
||||
|
||||
@item --multifile
|
||||
@opindex multifile
|
||||
This modifies certain other commands to accept multiple files for
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue