oss-sec mailing list archives

Re: Many vulnerabilities in GnuPG

From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Tue, 30 Dec 2025 23:44:05 -0600

On 12/29/25 18:57, Peter Gutmann wrote:

[...]

A solution for mission-critical use like authenticating downloaded binaries
would be to do two things:

1. Create an app that does just that and nothing else: Here is a blob of data,
here is a detached signature, is it valid for the data?


Does using gpgv(1) with detached signatures fit this bill?

I am unsure what having a separate tool dedicated for verifyingsignatures using trusted keyrings says about the overall system...



-- Jacob

Current thread:

Re: Many vulnerabilities in GnuPG, (continued)
- - - Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 30)
  - Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
- Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 28)
  - Re: Many vulnerabilities in GnuPG Andreas Metzler (Dec 29)
  - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 29)
    - Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
    - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 30)
    - Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 30)
    - Re: Many vulnerabilities in GnuPG Collin Funk (Dec 30)
    - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 31)
    - Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
- Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
  - Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 28)
  - Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 28)
    - Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 29)
    - Re: Many vulnerabilities in GnuPG Alan Coopersmith (Dec 30)
    - Re: Many vulnerabilities in GnuPG Neal Gompa (Dec 29)