several questions about gnupg
Daniel Mettler
mettlerd@icu.unizh.ch
Wed May 29 03:27:02 2002
thanks, leigh.
nevertheless only one question has been answered so far. what
about the others? as i said, i did not find any answer neither
in the faq nor the docs nor the mailinglist archive, thus i
think these questions are interesting to be answered for other
gpg users too.
for a starter, i try to answer some of the remaining questions by
myself (correct me, if i am wrong)
> > ************************************************************
> >***** is there an irc channel of gnupg developers/users?
> > ************************************************************
> >*****
no, there isn't. gnupg developers use telepathy instead.
> > ************************************************************
> >***** how does gnupg recognize revoked keys? does it check a
> > public key server for revocation certificates or how does
> > this work?
the revocation feature is a joke, man. besides this, rtfm.
> > ************************************************************
> >***** as i use gpg from within a python program i would like
> > to skip all interactive dialogs when i "--edit-key" except
> > for the indispensable password prompts. for other questions
> > i would like to set the answers from within the python
> > program. thus is there something between "--batch" (no
> > interaction at all) and fully interactive dialogs?
no, there isn't. it was hard to program, it should be hard to
embed.
> > how could
> > i implement something like this?
just do it. btw. rtfm of <put your favourite programming language
here>
...and the rest is for you:
On Tuesday 28 May 2002 03:26, Leigh S. Jones wrote:
> > ************************************************************
> >***** among others i use --recv-keys to automatically
> > retreive missing public keys from a public key server.
> >
> > this feature does not seem to work reliably as the fetching
> > often hangs.
> >
> > is there an undocumented command line option to set a
> > timeout for this (e.g. stop automatic fetching after 30s if
> > it does not succeed)? is there any timeout at all? and is
> > there an option to make gpg retry it for a specified number
> > of times if it fails? can you recommend a reliable keyserver
> > (currently i use wwwkeys.pgp.net)?
> > ************************************************************
> >***** gpg returns an exit code of 0 if verification
> > "succeeds" no matter of the key trust (e.g. even if the
> > trust is "unknown") etc. thus i parse the output of
> > "--status-fd 1" to see whether the signature is really
> > valid, whether the public key is trusted and not expired or
> > revoked etc.
> >
> > i have read the DETAILS documentation, but some flag
> > explanations seem to be missing. is there a complete list of
> > all flags somewhere? and i do not know which flag is
> > necessary/sufficient for what state (is there any formal
> > documentation regarding this?). basically i want to check
> > for valid && not expired signatures which were signed by
> > trusted && not expired && not revoked keys, and reject
> > everything else. what combination of flags is
> > necessary/sufficient (in a mathematical sense) for this?
> > currently i use a long if-chain which only accepts the
> > signatures that
> >
> > have (GOODSIG && a sufficient TRUST_*) && do not have
> > (EXPSIG || EXPKEYSIG || NODATA || UNEXPECTED || SIGEXPIRED
> > || KEYEXPIRED || KEYREVOKED || RSA_OR_IDEA || NO_SECKEY ||
> > BADSIG || ERRSIG || NO_PUBKEY)
> >
> > this seems to be a safe (estimated, as i have not found any
> > formal information about this) but not efficient solution.
> > which flags would do it? can i safely omit checks for not
> > existing NODATA, UNEXPECTED, RSA_OR_IDEA, NO_SECKEY, BADSIG,
> > ERRSIG, NO_PUBKEY flags?
> > ************************************************************
> >***** what really happens when a signature is made with
> > --throw-keyid? i tested this and somehow the keyid seems to
> > be still embedded in the signature.
> > ************************************************************
> >***** what steps are needed to make a public key fully
> > trusted? currently, i "--lsign-key" it. is this sufficient
> > or do i need "--edit-key name trust" to set an appropriate
> > trust level too? can a public key made fully trusted just
> > with "--edit-key name trust"?
regards
dan
--
...::: Daniel Mettler | http://www.numlock.ch :::....