On Tue, 30 Dec 2025 12:05, Robert J. Hansen said: > See, e.g., https://gpg.fail/detached . I've been able to verify the > bottom line claim here, although I haven't verified their diagnosis.
This is our ticket: https://dev.gnupg.org/T7903 When we fixed the bug in early November, I had put thus into the commit log: But note: Using the output of the verify command for detached signatures is useless because with a non-manipulated signature nothing would haven been written. In fact, you should always known whether you expect a detached signature or a binary or cleartext signature. After the publication of those claimed bugs, we made the ticket public and I commented: Note using the output of --decrypt directly on the tty is a Bad Idea(tm). You won't cat arbitrary files to your tty for the same reason. BTW, if you watched CitizenFour please don't follow the example given in the first scene where someone types gpg -d on the tty. > particular concern. (Point blank: if in 2025 you're using GnuPG at the > command line for anything except certificate management, please > stop. Parsing GnuPG's command line output is notoriously Well you need to know what you do. As always when making use of tools. > difficult. Use GPGME with language bindings of your choice.) Indeed, that makes it easier to get things right. BTW, gpgme even comes with a JSON frontend which can for example be used for Native Messaging with browsers. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
