gpgverify uses attached signature verifications
gpgverify uses the old attached signature verification method, which doesn't work properly for new-style GnuPG signatures that require Hash headers for attached signatures.
Given that pgpverify does the right thing and gpgverify was added just because it was a simplified version that assumed GnuPG, perhaps it should be removed.
Change History (3)
Resolution: |
→ fixed
|
Status: |
new →
closed
|
Summary: |
gpgverify uses attached signature verifications. →
gpgverify uses attached signature verifications
|
(In [8247]) Remove gpgverify because it uses the old attached signature
verification method, which doesn't work properly for
new-style GnuPG signatures that require Hash headers
for attached signatures.
23:21 news@trigofacile ~% gpgverify < checkgroups-1229673648.sig
zsh: exit 3 gpgverify < checkgroups-1229673648.sig
Note that pgpverify also handles GnuPG signatures, recognizes
their new-style, and is shipped with INN. For that checkgroups,
it answers "[GNUPG:] GOODSIG", etc.
Therefore, pgpverify should be used instead of gpgverify.
close #13