audit if torbrowser-launcher GnuPG signature verification bypass attack applies to Whonix or other projects


Originally published at: https://www.whonix.org/blog/gpg-signature-verification-bypass
Issue of torbrowser-launcher using gpg command line.

[or call it an issue of the gnupg interface and its difficulty using it inside scripts, unfinished python gpg libraries etc.]


Whonix consistently uses gpg-bash-lib. I’ve checked, that it is not affected by this issue. I.e. explicitly defining sig file and data file.


However, I welcome review for this issue and gpg-bash-lib generally. Also other (build) scripts using gpg may be affected.


Problem fixed in torbrowser launcher: https://twitter.com/micahflee/status/710148540480131072