T7903 - detached (was: https://gpg.fail)

[Werner Koch]

On Tue, 30 Dec 2025 12:05, Robert J. Hansen said:

> See, e.g., https://gpg.fail/detached . I've been able to verify the
> bottom line claim here, although I haven't verified their diagnosis.

This is our ticket: https://dev.gnupg.org/T7903

When we fixed the bug in early November, I had put thus into the commit
log:

  But note: Using the output of the verify command for detached
  signatures is useless because with a non-manipulated signature nothing
  would haven been written.

In fact, you should always known whether you expect a detached signature
or a binary or cleartext signature.

After the publication of those claimed bugs, we made the ticket public
and I commented:

  Note using the output of --decrypt directly on the tty is a Bad
  Idea(tm). You won't cat arbitrary files to your tty for the same
  reason.

  BTW, if you watched CitizenFour please don't follow the example given
  in the first scene where someone types gpg -d on the tty.

> particular concern. (Point blank: if in 2025 you're using GnuPG at the
> command line for anything except certificate management, please
> stop. Parsing GnuPG's command line output is notoriously

Well you need to know what you do.  As always when making use of tools.

> difficult. Use GPGME with language bindings of your choice.)

Indeed, that makes it easier to get things right.  BTW, gpgme even comes
with a JSON frontend which can for example be used for Native Messaging
with browsers.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251230/77fd53a1/attachment.sig>