How to verify the file was successfully encrypted...

Jeffrey F. Bloss jbloss at tampabay.rr.com
Wed Jul 12 21:13:58 CEST 2006 

Benny Helms wrote:

<snippage>


First off, I hope you've considered that gpg is doing what it's suppose
to do and you're really trying to break it. If your encrypted files
are "corrupt" at a later date, maybe you have another problem and don't
*want* to make it just go away. IOW, be cautious that a solution
doesn't weaken your security. ;)

> Thank you for the reply, Mark.  Yes, that would definitely do the
> trick. I guess I need to go to the FAQ to discover how to safely put
> a password into a scripted activity since each decryption requires a
> password.

Don't know if this will help or not, but I just did a quick test with
GnuPG 1.4.4 and the --dry-run command line switch seem to work fine.
Outputs to stdout rather than writing a file to disk.  I changed a
single bit in an encrypted (armored) file and tried it, and got a "CRC
error" without entering any pass phrase at all. 

That's with -vv set in my options file, FWIW. And bleeding edge
hash/cypher algorithms.

Additionally, you can enter a pass phrase on the command line with the
--passphrase switch. I tested it with both known good and known bad
encrypted files, and if you enter a bogus/incorrect pass phrase for a
known good file you get a "bad passphrase" error. With a known bad
encrypted file you get the same "CRC error". Neither one requires any
user input, which is what you want.

IOW, if you...

 gpg -d --dry-run --passphrase boguspassphrase bad-file.asc 

You get the "CRC error", but if you...

 gpg -d --dry-run --passphrase boguspassphrase good-file.asc

You get the "bad passphrase".

The down side is, both are exit code '2', so you'd have to grep for the
"verbal" response to tell the difference. But that's not a major hurdle
and it should be trivial to "if $?" grep return codes into something
useful.

The other down side is this doesn't explicitly tell you if you have a
*good* encrypted file, it only picks out a couple errors. To do that
you'd have to either be sitting there entering pass phrases, or include
them in your script. Probably not where you'd want to go with this. :(

-- 
Hand crafted on 12 July, 2006 at 14:36:55 EDT

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
                                  -Groucho Marx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
Url : /pipermail/attachments/20060712/fc8b31e5/signature-0001.pgp

More information about the Gnupg-users mailing list