Yes, this was a deliberate design decision, most probably so the same code could be used to parse --- BEGIN PGP ENCRYPTED MESSAGE --- and --- BEGIN PGP SIGNATURE ---. However, this is a _huge_ security hole, as it allows the nearly-undetectable modification of PGP-signed messages.
It's nowhere near undetectable. When you ask pgp to check the signature, pgp writes the signed message to a file (or to stdout), and that output does not include the {header/junk/extra stuff} between the BEGIN line and the blank line. I don't like this bug/feature, but I don't see it as a serious security problem for users who are aware of it. I do think it could be a problem for users who are not aware of it, and who incorrectly assume that the "good signature" message means that the {header/junk/extra stuff} was part of the signed material. --apb (Alan Barrett)