retitle 704645 gpg --verify suggests entire file was verified, even if file contains auxiliary data thanks
Hi, After some discussion I've come to the following description of this request (submitters, please correct or augment where necessary): "gpg --verify <filename>" returns a binary answer: has a valid signature, doesn't have a valid signature. This is described in the man page as "Assume that the first argument is a signed file or a detached signature and verify it without generating any output." This works well for detached signatures or for files that contain only a clearsigned message and nothing else. The problem comes in when somewhere in a file a valid block of clearsigned text is present, but this block is preceded or followed by auxiliary data. Running "gpg --verify" on that file results in an assertion that "the file" has a "valid signature" while in fact only a part of the file was verified with no way of knowing which. As it turned out, implementors have been assuming that running "gpg --verify" on a file yields enough information to further process that file as if all data in it were correctly signed. It has been argued that running "gpg --verify" in its current form on a clearsigned file is useless as it only tells you that that "something somewhere in that file has a valid signature". (There is currently a working way to verify and extract only the signed data, which is by using --status-fd and parsing its output.) I'm seeking input from GnuPG upstream for their view on this case. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
