[Pkg-gnupg-maint] Bug#704645: Bug#704645: Processed: Re: Bug#704613: cdebootstrap: signature verification bypass with manipulated InRelease file
Thijs Kinkhorst
thijs at debian.org
Mon Oct 7 18:42:36 UTC 2013
On Sat, April 6, 2013 12:45, Thijs Kinkhorst wrote:
> I'm seeking input from GnuPG upstream for their view on this case.
I have forwarded the issue. Upstream acknowledges the issue but does not
seem prepared to change the behaviour of the --verify command.
As described in #705536, I do not think that changing the behaviour in
Debian specifically will advance the situation (rather deteriorate it).
Therefore, the option left is to clearly document the risk of the command.
Upstream has put this text in the man page section describing the command.
"Note: When verifying a cleartext signature, `gpg' verifies only
what makes up the cleartext signed data and not any extra data
outside of the cleartext signature or header lines following
directly the dash marker line. The option `--output' may be used
to write out the actual signed data; but there are other pitfalls
with this format as well. It is suggested to avoid cleartext
signatures in favor of detached signatures."
I think this is what from a Debian standpoint completes what we can do for
this issue.
Cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list