Comment 3 for bug 1632502

The problem has been addressed in https://bitbucket.org/mmueller2012/pipelight/commits/c9fc745d46bedc2d7509dd87747f754a33cd5e04. Do you see any remaining issues with the new code?

In case you are wondering why I use a pipe in the updated code, some older versions of gpg searched for .sig or .asc files if no signature was found in the file itself. This would allow an attacker to put a forged signature into the temp directory (even though it should be pretty hard to guess the random file name). Passing the the content via a pipe should prevent this behavior.