decryption outputs to stdout before verification

Jakob Bohm jb at wisemo.com
Thu Oct 30 16:44:13 CET 2025 

On 30/10/2025 06:38, Robert J. Hansen via Gnupg-users wrote:
>> And none of this is documented or exemplified in the obvious gnupg
>> man pages.
>
> From the first page of the man:
>
>     "Note that signature verification requires exact
>     knowledge of what has been signed and by whom it
>     has been signed.  Using only the return code is
>     thus not an appropriate way to verify a signature
>     by a script. Either make proper use or the status
>     codes or use the gpgv tool which has been designed
>     to make signature verification easy for scripts."
>
> You weren't using status codes sent on --status-fd, you were parsing
> human-readable output exactly like you were explicitly advised not to
> do. From the "WARNINGS" section of the manpage:
Wrong assumption, I headed that warning and wrote a bunch of
bash scripting to look in --status-fd output for relevant
computer-readable messages, some including the hash of the
expected signer identity (this was written years before gpg
2.4 added the new option).  My complain is how much work that
was .
>
>     "For scripted or other unattended use of gpg make
>     sure to use the machine-parseable interface and not
>     the default interface which is intended for direct
>     use by humans.  The machine-parseable interface
>     provides a stable and well documented API
>     independent of the locale or future changes of gpg.
>     To enable this interface use the options
>     --with-colons and --status-fd.  For certain
>     operations the option --command-fd may come handy
>     too.
>
>     …
>
>     As an alternative the library GPGME can be used as
>     a high-level abstraction on top of that interface."
>
> Everything you needed was at the top of the man page. This one's on you.
>
>> GpgMe has been presented to the public (including me) exclusively as
>> a library for integrating gnupg in existing interactive MUA programs
>> like Outlook and TBird, not for much less user-oriented tasks such
>> as verifying that internal file delivery ABCD1234.xyz was signed by
>> the time-appropriate key for system ABCD.
>
> From https://www.gnupg.org/software/gpgme/index.html:
>
>     "Because the direct use of GnuPG from an
>     application can be a complicated programming task,
>     it is suggested that all software should try to
>     use GPGME instead."
>
That statement says nothing to dispell the notion that gpgme is a
library for the most primitive end user scenarios, not serious
automation,a notion very much encouraged by the use of the word
"me" in its name.

In fact it looks very much like the advertisement blurbs added by
other software vendors to advertise seriously crippled wrapper
libraries.

> I don't know who presented GPGME to you, but whoever it was hadn't read
> the web page about it.


-- 
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251030/f400f79f/attachment.html>

More information about the Gnupg-users mailing list