So I'm not sure I understand correctly what's going on here, but bear with me. this works without warning:
$ gpg --output signed --verify < signed.asc File 'signed' exists. Overwrite? (y/N) y gpg: Signature made Wed May 15 20:29:42 2019 EDT gpg: using RSA key 4F95A91F7B3487230BC9CCF5B5FB9E3E3661A436 gpg: please do a --check-trustdb [...] Primary key fingerprint: 4F95 A91F 7B34 8723 0BC9 CCF5 B5FB 9E3E 3661 A436 $ sha256sum signed f1baa747a8ed95137b33d0492ec72e19ec6e454f8b4e70e9af163ed6e9cb350f signed
But this yields a warning:
$ gpg --output signed --verify signed.asc File 'signed' exists. Overwrite? (y/N) y gpg: Signature made Wed May 15 20:29:42 2019 EDT gpg: using RSA key 4F95A91F7B3487230BC9CCF5B5FB9E3E3661A436 [...] Primary key fingerprint: 4F95 A91F 7B34 8723 0BC9 CCF5 B5FB 9E3E 3661 A436 gpg: WARNING: not a detached signature; file 'signed' was NOT verified! $ sha256sum signed f1baa747a8ed95137b33d0492ec72e19ec6e454f8b4e70e9af163ed6e9cb350f signed
The file is exactly the same, and the file signed, in effect *WAS* verified. So I feel this warning is inaccurate:
gpg: WARNING: not a detached signature; file 'signed' was NOT verified!
If it isn't, it seems to me it *should* be able to make such an accurate statement (or not). I understand it might *stream* the content from the OpenPGP message and therefore add garbage at the beginning or end of file that might corrupt the signature. But GnuPG should be able to figure that out and fire that message only in that case.
Because that warning is present in one case and not the other, I am left totally confused as to whether this message is actually verified or not. Maybe < message.asc didn't actually verify the message? Who knows... (I know now that it does, after a lengthy conversation with #gnupg folks, thanks @dkg, but it seems to me this shouldn't be part of the message verification routine.)
I understand this is a rather weird edge case, but I suspect it might happen more often than we expect. This is a webmail user trying to send me signed text. I believe they might have done:
gpg --sign --armor
And then typed their message and copy-pasted it in their email client which, arguably, is a totally reasonable thing to do.