GPA fails to verify certain .asc files

Peter Lebbing peter at digitalbrains.com
Sun Jan 25 11:05:10 CET 2015


I was postulating that the breakage might be related to the fact that GnuPG in
batch mode no longer verifies a detached signature as valid when it is only
given the detached signature, instead of the pair of signed file and detached
signature. This security fix was backported to 2.0 and 1.4, so it does apply.

On 24/01/15 22:23, Philip Jackson wrote:
> --batch doesn't come into the question either. 

I refer you to line 857 of src/engine-gpg.c in GPGME[1], which is used by GPA:

argv[argc] = strdup ("--batch");

I think it's quite likely --batch comes into play in your scenario, although I'm
not well acquainted with the source code.

By the way, I think it'd be helpful if you could indicate your distribution and
the version of GPA you use. Also, if you don't use the packages from your
distribution but instead compile yourself, that would of course be very valuable
information.

HTH,

Peter.

[1]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob;f=src/engine-gpg.c;h=30c3bfbe2389c8d7475e449f4e6d863772661dcb;hb=HEAD#l857

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list