Werner Koch: > On Mon, 12 Jan 2015 03:19, [email protected] said: > >> Suppose a file has been `--clearsign`ed. Then an adversary pretended or >> appended extraneous content. > > That is what the signature is all about ;-). Use > > gpg --verify --output OUT SIGNEDDATA > > to write the _verified_ content of the file SIGNEDDATA to the file OUT. > You also need to check the verification status of course.
Tried your syntax. And also tried this one: gpg --output ./out --verify ./sha512sums.asc Never created an "out" file for me. However, what works for me is this: gpg --output ./out --verify ./sha512sums.asc When it exits 0, then this approach is sound, sane and fine? ----- Is there a way to detect, that a file looks like this: ################################## b4e5ac6ceb9812dacf1f5db26c65b3329da031b0ef5a6107e38e2d92b91ae5f6daff6e6774fbb0ab5bb4148ae4f71b4511595149876f181c40fba5ec0e20a399 test ################################## vs a file looking like this: ################################## prepended content -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 b4e5ac6ceb9812dacf1f5db26c65b3329da031b0ef5a6107e38e2d92b91ae5f6daff6e6774fbb0ab5bb4148ae4f71b4511595149876f181c40fba5ec0e20a399 test -----BEGIN PGP SIGNATURE----- ... -----END PGP SIGNATURE----- appended content ################################## Any way to distinguish both states? Cheers, Patrick _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
