Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87ms30s6eo.fsf@jacob.g10code.de>
Date: Tue, 30 Dec 2025 09:47:11 +0100
From: Werner Koch <wk@...pg.org>
To: Jacob Bachmeyer <jcb62281@...il.com>
Cc: oss-security@...ts.openwall.com,  Solar Designer <solar@...nwall.com>,
  contact@....fail
Subject: Re: safe use of cleartext signatures?

On Tue, 30 Dec 2025 00:34, Jacob Bachmeyer said:

> structure, or is this basically an unfixable problem? Could GPG
> perform such validation steps and emit a warning if a clearsigned
> message does not strictly conform?

It does.  The thing here is that you need to known what has been signed.
The only way to do this is to let gpg give you the signed and unescaped)
data (with --output FILE).  Actually we have the same problem with MIME
when forwarding a mail.  Not all MUAs correctly mark which parts are
signed by which signature.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

Download attachment "openpgp-digital-signature.asc" of type "application/pgp-signature" (285 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.