Originally published at: https://www.whonix.org/blog/gpg-signature-verification-bypass
Issue of torbrowser-launcher using gpg command line.
[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]
Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.
However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.