A subtle formatting quirk in GnuPG’s clearsign handling lets an attacker append unsigned data to a signed message while still passing GnuPG’s verification routine — a signature‑verification bypass tracked as CVE‑2025‑68972 that affects GnuPG releases up to and including 2.4.8 and has been...
