Re: unsafe use of gpg
Ansgar Burchardt <ansgar@debian.org> writes:
> I recently looked at several packages using gpg to verify signatures
Thanks for your work! Please try to raise this upstream so that they can
provide proper interfaces.
Is
/usr/bin/gpgv --quiet --keyring /etc/myprogram/trusted.gpg file file.sig
chmod a+x file
./file
still a safe way to ensure that only code signed by a key in trusted.gpg
gets executed? (Assuming of course that user can't modify the file
between the check and execution.)
Reply to: