GnuPG signed message spoofing vulnerability
Posted Mar 8, 2007 18:35 UTC (Thu) by kingdon
Parent article: GnuPG signed message spoofing vulnerability
I agree with the GnuPG developers that this is a bug, rather than just user error (or front-end error). The important part is: "they will see the contents of both of the plaintext packets followed by a statement that the signature was verified. Nothing in the output indicates the presence of two packets with different signature status." In other words, GnuPG had been claiming that something was verified when it was not.
to post comments)