Package: gnupg
Version: 1.4.12-6
Severity: wishlist
Tags: upstream
Hi,
it would be very nice if gpg had a --verify command that would also output the
signed data. (Maybe "gpg --output - --verify"?) Otherwise you know the data is
signed, but still have to extract it somehow.
I have seen software using just
gpg < $file
to try to do this. However this doesn't make sure that the input is actually
signed; it would also accept data created with `gpg --store'.
I have also seen software (trying to) extract the data using the markers in a
clearsigned message (`gpg --clearsign') that could be tricked into processing
the wrong data (it did not look for the correct markers).
This would be prevented if there was an option to make gpg --verify also output
the data that was actually signed. Currently the only way to get something
similar seems to be `gpg --status-{fd,file}=... --decrypt < $file' and parsing
the status output, but that is significantly more work (esp. when processing
files in shell).
Ansgar
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
