Signing a file given its hash only
Werner Koch
wk at gnupg.org
Thu May 22 12:04:57 CEST 2025
On Wed, 21 May 2025 21:18, Björn Persson said:
>> for i in $@ ; do
>> gpg -d -- ${i}.signedhash | sha256sum -c || fail "Failed to verify"
>> done
>
> That script ignores the result of the signature verification. It will
> return success if sha256sum finds that the hash matches the file, even
> if the signature is invalid.
Further, the verification is not robust. Either use --assert-signer or
replace gpg by gpgv. Then the OP should either use clear text signature
and use "--output -" to get the asctua signed data or - better - use a
detached signature scheme with a data file and a separate signature
file. Something like this:
if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
echo "list of software versions is not valid!" >&2
exit 1
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250522/012d636d/attachment.sig>
More information about the Gnupg-users
mailing list