Author: rransom
Date: 2012-02-02 04:25:38 +0000 (Thu, 02 Feb 2012)
New Revision: 25371
Modified:
website/trunk/docs/en/verifying-signatures.wml
Log:
Specify the bundle on the GPG command line, to block an easy attack
Otherwise, They can put a message with an attached signature in the .asc
file, and GPG will call it good.
Modified: website/trunk/docs/en/verifying-signatures.wml
===================================================================
--- website/trunk/docs/en/verifying-signatures.wml 2012-02-01 22:33:14 UTC (rev 25370)
+++ website/trunk/docs/en/verifying-signatures.wml 2012-02-02 04:25:38 UTC (rev 25371)
@@ -97,7 +97,7 @@
to download the ".asc" file as well. Assuming you downloaded the
package and its signature to your Desktop, run:</p>
- <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc</pre>
+ <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>
<p>The output should say "Good signature": </p>
@@ -153,7 +153,7 @@
to download the ".asc" file as well. Assuming you downloaded the
package and its signature to your Desktop, run:</p>
- <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc</pre>
+ <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>{.asc,}</pre>
<p>The output should say "Good signature": </p>