decryption outputs to stdout before verification

Robert J. Hansen rjh at sixdemonbag.org
Thu Oct 30 06:38:17 CET 2025 

> And none of this is documented or exemplified in the obvious gnupg
> man pages.

 From the first page of the man:

	"Note that signature verification requires exact
	knowledge of what has been signed and by whom it
	has been signed.  Using only the return code is
	thus not an appropriate way to verify a signature
	by a script. Either make proper use or the status
	codes or use the gpgv tool which has been designed
	to make signature verification easy for scripts."

You weren't using status codes sent on --status-fd, you were parsing
human-readable output exactly like you were explicitly advised not to
do. From the "WARNINGS" section of the manpage:

	"For scripted or other unattended use of gpg make
	sure to use the machine-parseable interface and not
	the default interface which is intended for direct
	use by humans.  The machine-parseable interface
	provides a stable and well documented API
	independent of the locale or future changes of gpg.
	To enable this interface use the options
	--with-colons and --status-fd.  For certain
	operations the option --command-fd may come handy
	too.

	…

	As an alternative the library GPGME can be used as
	a high-level abstraction on top of that interface."

Everything you needed was at the top of the man page. This one's on you.

> GpgMe has been presented to the public (including me) exclusively as
> a library for integrating gnupg in existing interactive MUA programs
> like Outlook and TBird, not for much less user-oriented tasks such
> as verifying that internal file delivery ABCD1234.xyz was signed by
> the time-appropriate key for system ABCD.

 From https://www.gnupg.org/software/gpgme/index.html:

	"Because the direct use of GnuPG from an
	application can be a complicated programming task,
	it is suggested that all software should try to
	use GPGME instead."

I don't know who presented GPGME to you, but whoever it was hadn't read
the web page about it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251030/382e5171/attachment.sig>

More information about the Gnupg-users mailing list