[
https://issues.apache.org/jira/browse/DIR-334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834539#comment-16834539
]
Sebb commented on DIR-334:
--------------------------
Yes, I know. But that is unsafe - see [1]
If the second parameter is omitted, for a detached signature it will check
against the implied main file.
However, for a combined file/signature it will only check the combined file.
The other file is not checked unless the parameter is provided, so it could be
anything.
The only way to be sure that the main file is checked is to provide it as the
second parameter
> Download page gpg example needs second parameter
> ------------------------------------------------
>
> Key: DIR-334
> URL: https://issues.apache.org/jira/browse/DIR-334
> Project: Directory
> Issue Type: Bug
> Reporter: Sebb
> Assignee: Emmanuel Lecharny
> Priority: Major
>
> {color:#222222}It is important that the file being checked is also specified
> [1] on the gpg command line.{color}
> {color:#222222}[1]
> [{color}[https://www.apache.org/info/verification.html#specify_both]{color:#222222}]{color}
> {color:#222222}[2]
> {color}[https://jackrabbit.apache.org/jcr/downloads.html#verify]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
