-
anarcat authored
The SigSpoof vulnerability found in GnuPG also affects Monkeysign, but in a lesser way. We check signatures only in one place: when we import images. This is a corner use case that is probably quite uncommon and since it requires access to the file in itself, it's likely there are already other ways to import arbitrary signatures into monkeysign. Still, we play it safe and disable the "verbose" mode that can possibly be enabled in `gnupg.conf` as recommended by the reporter, Marcus Brinkmann.