oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: safe use of cleartext signatures?

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Tue, 30 Dec 2025 15:06:37 -0500
On 12/30/25 03:47, Werner Koch wrote:

On Tue, 30 Dec 2025 00:34, Jacob Bachmeyer said:


structure, or is this basically an unfixable problem? Could GPG
perform such validation steps and emit a warning if a clearsigned
message does not strictly conform?


It does.  The thing here is that you need to known what has been signed.
The only way to do this is to let gpg give you the signed and unescaped)
data (with --output FILE).  Actually we have the same problem with MIME
when forwarding a mail.  Not all MUAs correctly mark which parts are
signed by which signature.


What about for detached signatures?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: