GnuPG feature request: Step-wise decryption

David Shaw dshaw at
Fri Feb 27 20:19:11 CET 2004

Hash: SHA1

On Fri, Feb 27, 2004 at 10:30:24PM +0100, abognupg at wrote:

> I use GnuPG in a mail gateway scenario that has to interoperate with
> many different "PGP-like" products that are, unfortunately, not fully
> RFC 2440 conforming.
> On the sending side, I can fix any problems by doing the signing +
> encryption in steps (using "--store", "-z 0" and "--no-literal" in a
> similar way than the one described for PGP 2.x on the GnuPG website).
> Thus the 3 layers (innermost: literal packet and any signature
> packets; middle layer: compression packet; outer layer: pub key
> encrypted session key + symmetrically encrypted data) can be produced
> in a controlled way, and little utility programs permit me to do any
> needed packet re-sorting and/or packet header re-writing without
> having to re-invent GnuPG core functionality like compress/uncompress
> or encrypt/decrypt.
> However, on the receiving side, currently there is no such user
> control over the GnuPG decryption/verify process. It would be great to
> have options like "--stop-after-decryption" and
> "--stop-after-uncompress" (these names are just examples, of course)
> that cause GnuPG to only do the first and/or the second of the 3
> decryption/verify steps (decryption, uncompress, signature
> verification) and output the result as a binary OpenPGP data
> structure.

This sort of thing been suggested every now and then, and I've always
been reluctant.. but let's talk about it a bit.  How would this work
in practice?

If the goal is to get the innermost contents, a
- --stop-after-uncompress might not be the right thing since there may
be no compressed data packet inside the encrypted data packet.  In
that case a --stop-after-uncompress would not stop things before the
whole message is processed.  Similarly, feeding a compressed but not
encrypted message to a --stop-after-decryption command would never

What do you think about a general "--unwrap" command, which would peel
off the outermost layer (whether it is encryption or compression) and
stop there.  Callers could re-submit the output back in for another
round of --unwrap if they want to go further.

Version: GnuPG v1.3.5-cvs (GNU/Linux)
Comment: Key available at


More information about the Gnupg-devel mailing list