On Fri 2019-03-15 10:50:34 -0300, David Bremner wrote: > Adam Majer writes: > >> The (my?) expectation is that a *.asc file is a detached signature. >> That's why GPG is warning when it is not a detached signature. But I can >> live with .sha256.asc if there is no .sha256 ;) > > Right, aren't detached signatures preferred in general? Or am I > misremembering some gpg folklore? Detached signatures are recommended for several reasons: * They can handle non-textual data * They are not confused by varying character sets/encodings of textual data * They clearly demarcate what is being signed (text documents with inline signatures can include arbitrary cruft before the signed text, or after the signature) * gpg (and gpgv)'s API has traditionally been ambiguous about what it means to say "gpg --verify foo.asc" depending on whether foo (without the ".asc") exists. This API "shortcut" has a nasty failure mode, because an attacker can ship you an arbitrary "foo" and an inline-signed document as "foo.asc". in that case, you might be surprised to find that while the signature verifies, it has nothing to do with "foo". I don't think these situations are relevant for the case of a signed sha256sum file verified in a sensible way: * we're dealing with textual data, guaranteed to be US-ASCII. Verifiers can explicitly make that assumption. * Modern versions of gpg (and gpgv) have an --output argument when validating a signature, making it much easier to see what specifically was signed, and avoiding any ambiguity about weird "foo.asc + unrelated foo" use cases (see my use of --output in the pipeline example upthread) Detached signatures have the additional disadvantage of having to juggle/coordinate more files when publishing or retrieving a new release. For the sake of shipping fewer files with each release, i think it makes sense to use a clearsigned *.sha256.asc. --dkg