The signature verification in git-lfs.spec, as currently written, is vulnerable to spoofing.

There's a treacherous pitfall with clearsigned files like sha256sums.asc: A clearsigned block can be surrounded by unsigned text. An attacker could make a malicious tarball and pass it off as a new version of Git-LFS. The attacker would take a genuine signed sha256sums.asc and add the SHA-256 sum of the malicious tarball above or below the clearsigned block. gpgv2 would verify only the contents of the clearsigned block and report that the signature is valid. Then sha256sum would verify the tarball against the unsigned checksum and report that it matches. Thus the attack has bypassed the signature verification.

The way to prevent such attacks is to have gpgv2 write the verified data to an output file, omitting any surrounding unsigned text, and then trust only the contents of the output file.

The best solution is to get this improved version of gpgverify merged:

https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/261

Then git-lfs.spec should be changed to use that, and pass its output file to sha256sum instead of the clearsigned file.

(Actually the very best solution would be if the Git-LFS developers would skip the sha256sum step and just sign their tarballs directly.)