Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f1811ded-6a8c-4eca-a8fc-4f9c77e4db5a@gmail.com>
Date: Tue, 30 Dec 2025 00:34:04 -0600
From: Jacob Bachmeyer <jcb62281@...il.com>
To: Werner Koch <wk@...pg.org>
Cc: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>,
 contact@....fail
Subject: Re: safe use of cleartext signatures? (was: Many
 vulnerabilities in GnuPG)

On 12/29/25 03:51, Werner Koch wrote:
> Hi!
>
> Jacob was so kind to comment on the reported bugs.  I agree with most of
> his comments.  [...]
Thank you.
> [...] At that time I also drafted an article to explain the well known
> prblem of hard-to-correct-use of cleartext signatures including a bit of
> history: https://gnupg.org/blog/20251226-cleartext-signatures.html

This is also the most important point to me, because cleartext 
signatures have their uses, for example, signing a list of file digests, 
which is also the use case attacked in item 10.

Is there a safe (but presumably less convenient) way to use cleartext 
signatures, perhaps by strictly validating the overall message 
structure, or is this basically an unfixable problem? Could GPG perform 
such validation steps and emit a warning if a clearsigned message does 
not strictly conform?


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.