Re: safe use of cleartext signatures? (was: Many vulnerabilities in GnuPG)

[Jacob Bachmeyer <jcb62281 () gmail com>]

On 12/29/25 03:51, Werner Koch wrote:
> Hi!
>
> Jacob was so kind to comment on the reported bugs.  I agree with most of
> his comments.  [...]
Thank you.
> [...] At that time I also drafted an article to explain the well known
> prblem of hard-to-correct-use of cleartext signatures including a bit of
> history: https://gnupg.org/blog/20251226-cleartext-signatures.html

This is also the most important point to me, because cleartext 
signatures have their uses, for example, signing a list of file digests, 
which is also the use case attacked in item 10.

Is there a safe (but presumably less convenient) way to use cleartext 
signatures, perhaps by strictly validating the overall message 
structure, or is this basically an unfixable problem? Could GPG perform 
such validation steps and emit a warning if a clearsigned message does 
not strictly conform?


-- Jacob