Best way to catch INSECURE unverified sig status when shelling out to gpg?
David Shaw
dshaw at jabberwocky.com
Sun Feb 10 06:09:01 CET 2013
On Feb 9, 2013, at 6:09 PM, Grant Olson <kgo at grant-olson.net> wrote:
> I'm currently writing a plugin that allows you to OpenPGP sign/verify
> ruby software packages:
>
> https://github.com/grant-olson/rubygems-openpgp
>
> Right now I'm just shelling out to gpg and checking the status code to
> determine success or failure. When I have an unverified but good
> signature I don't get an error code.
>
> What is the best way to check for this? I presume something like
> stdout.include?("INSECURE") is not localization friendly.
The option you're looking for is "--status-fd". Using that, you can get a stream of localization-safe string tags that can tell you the exact status of a signature. See the DETAILS file from the GnuPG distribution for the specific tags.
David
More information about the Gnupg-users
mailing list