Cleartext Signatures Considered Harmful
4 months ago
- #Cryptography
- #PGP
- #Security
- Cleartext signatures in PGP allow text to be readable without special tools but verification is complex.
- Terminal escape codes can mislead users about what was actually signed, requiring PGP tools for accurate verification.
- Commands like `gpg --verify -o signed.txt message.asc` are necessary to properly verify cleartext signatures.
- Cleartext signatures are prone to attacks, such as fake armor lines and misleading comment lines.
- Detached signatures or PGP/MIME are recommended over cleartext signatures for better security.
- Historical context: Cleartext signatures were designed for early Internet and BBS systems, now largely outdated.
- Common pitfalls include altered armor lines, misleading comment lines, and hidden terminal control characters.
- Conclusion: Avoid cleartext signatures; use detached signatures and verify with trusted tools.