- User Since
- Mar 27 2017, 4:49 PM (233 w, 6 d)
Aug 21 2013
I'm reading in your response that you're not eager to change the behaviour of
--verify in this regard, right?
If that's the case, perhaps you can consider this patch to add a note to the
documentation, making it clear what is expected when using --verify on inline
signed files with auxiliary data. Afterall, we've seen several places where
--verify was used insecurely in the wild, so some warning may be in order.
Jun 26 2013
Yes. I think we're in agreement that MIME and detached signatures are the best way.
However, the functionality in gpg to check cleartext messages is there. If gpg
is confronted with a cleartext file containing auxilliary data, wouldn't it
better refrain from giving a positive return code when checking that file?