In case you are wondering why I use a pipe in the updated code, some older versions of gpg searched for .sig or .asc files if no signature was found in the file itself. This would allow an attacker to put a forged signature into the temp directory (even though it should be pretty hard to guess the random file name). Passing the the content via a pipe should prevent this behavior.
The problem has been addressed in https:/ /bitbucket. org/mmueller201 2/pipelight/ commits/ c9fc745d46bedc2 d7509dd87747f75 4a33cd5e04. Do you see any remaining issues with the new code?
In case you are wondering why I use a pipe in the updated code, some older versions of gpg searched for .sig or .asc files if no signature was found in the file itself. This would allow an attacker to put a forged signature into the temp directory (even though it should be pretty hard to guess the random file name). Passing the the content via a pipe should prevent this behavior.