decryption outputs to stdout before verification
Jakob Bohm
jb-gnumlists at wisemo.com
Thu Oct 30 04:50:10 CET 2025
On 24/10/2025 18:53, Werner Koch wrote:
> On Fri, 24 Oct 2025 15:03, Jakob Bohm said:
>> Note that the above user visible output (not the exit code) pretends
>> to report success,
>
> Which is tehcnically correct becuase the signature is valid. The
> assertion simply fails and thus the exit code is guaranteed to be failure
> and you will also see a ASSERT_SIGNER status line if the assertion is true.
>
"Technically correct" is a bad excuse for misleading humans.
>> --status-fd is a particularly horrible interface for shell scripting use,
>> as it requires setting up an additional temporary file and overly complex
>
> awk is the tool of choice ;-)
>
> I would suggest to use libgpgme, gpgme-tools, or gpgme-json for all
> applications. No need for --assert-signer in this case because this can
> be easily checked without.
>
And none of this is documented or exemplified in the obvious gnupg man
pages. Thus when I needed to verify that some files were signed by
specific automated systems, I had to do a highly complex combination of
bash scripting, grep etc. GpgMe has been presented to the public
(including me) exclusively as a library for integrating gnupg in
existing interactive MUA programs like Outlook and TBird, not for much
less user-oriented tasks such as verifying that internal file delivery
ABCD1234.xyz was signed by the time-appropriate key for system ABCD.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list