December 27, 2025

Signed, sealed… misdelivered?

Article URL →HN comments →

Cleartext Signatures Considered Harmful

Readable ‘signed’ messages spark warnings — commenters say the real bug is the tool

TLDR: Experts warn readable PGP signatures can mislead what you see on screen; they recommend using safer signing methods. Commenters clash over whether GnuPG’s decades-old behavior is the real problem or if better verification would solve it, turning a dusty crypto feature into a modern blame game.

PGP—the old-school way to “sign” messages so you know they’re real—just got dragged. The article says those readable, copy‑paste friendly signatures can fool your eyes because your screen can hide tricks; to truly know what was signed, you have to run it through a proper tool. The author’s fix: stop using these “cleartext” signatures, and switch to safer methods like detached signatures or PGP/MIME for email.

Cue the comments section turning into a courtroom drama. One camp’s furious at the tool, not the user. “Don’t blame the use-case,” fumes one commenter, arguing GnuPG—the popular PGP program—has leaned on “it’s always worked this way” to justify risky behavior. Another voice fires back that the sky isn’t falling: both types of signatures require verification anyway, so if the output doesn’t match what you see, that’s a bug, not a reason to ban a whole style. Translation for non-nerds: people are fighting over whether this is a dangerous design or just bad safety checks.

Of course, the meme police arrived. Someone dropped the obligatory XKCD link because internet law requires it. Another tossed in a related HN thread to keep the fires burning. Verdict from the crowd: nostalgia be damned—either fix the defaults or stop pretending “readable” means “safe.”

Key Points

  • Cleartext signatures are readable but can mislead due to encoding rules and terminal escape sequences affecting display.
  • Safe verification requires processing the entire message with GnuPG to extract the actual signed text into a file (e.g., signed.txt).
  • For scripts, gpgv should be used to verify against trusted keys; gpg’s --assert-signer can serve similar purposes.
  • Detached signatures are preferred and verified by providing both the signature file and the message file to gpg/gpgv.
  • Historically, cleartext signatures originated with PGP for ASCII BBS messaging; PGP/MIME (RFC2015) later replaced them for email via Mutt.

Hottest takes

"flaws should be seen as inherent limitations of the use-case, rather than flaws in the implementation and standard" — cge
"That sounds like a bug in gpg" — comradesmith
"Related: https://news.ycombinator.com/item?id=46403200" — derleyici

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.