audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects

Originally published at: News - Whonix Forum
Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]

Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.

However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.

Problem fixed in torbrowser launcher: