GPG <= 1.4.2.1, bad

Mon Mar 13 2006 00:00:00 GMT+0000 (Coordinated Universal Time)

hacks

As Schneier notes, there is a significant vulnerability in GnuPG versions before 1.4.2.2 that allows one to prepend or append arbitrary data to a signed message and not affect the signature calculation.

So, I'll be treating all messages signed with 1.4.2.1 and older as if they're unsigned.