Opened 11 years ago

Closed 11 years ago

Last modified 10 years ago

#13 closed defect (fixed)

gpgverify uses attached signature verifications

Reported by: eagle Owned by: eagle
Priority: medium Milestone: 2.5.0
Component: utilities Version:
Severity: normal Keywords:
Cc:

Description

gpgverify uses the old attached signature verification method, which doesn't work properly for new-style GnuPG signatures that require Hash headers for attached signatures.

Given that pgpverify does the right thing and gpgverify was added just because it was a simplified version that assumed GnuPG, perhaps it should be removed.

Change History (3)

comment:1 Changed 11 years ago by Julien ÉLIE

Resolution: fixed
Status: newclosed

(In [8247]) Remove gpgverify because it uses the old attached signature
verification method, which doesn't work properly for
new-style GnuPG signatures that require Hash headers
for attached signatures.

23:21 news@trigofacile ~% gpgverify < checkgroups-1229673648.sig
zsh: exit 3 gpgverify < checkgroups-1229673648.sig

Note that pgpverify also handles GnuPG signatures, recognizes
their new-style, and is shipped with INN. For that checkgroups,
it answers "[GNUPG:] GOODSIG", etc.
Therefore, pgpverify should be used instead of gpgverify.

close #13

comment:2 Changed 10 years ago by Julien ÉLIE

Summary: gpgverify uses attached signature verifications.gpgverify uses attached signature verifications

comment:3 Changed 10 years ago by Julien ÉLIE

Milestone: 2.5.0
Note: See TracTickets for help on using tickets.