Bug in gpg 1.4.1/gpgme 1.0.2 - blocked while encrypting signed data with untrusted key

Stéphane Corthésy stephane at sente.ch
Wed Aug 17 20:37:42 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here's a bug I thought it had been fixed in gpg 1.4.1 (or is it gpgme  
1.0.2?), but, alas, it's still present (no, I haven't tested yet the  
upcoming 1.4.2 release).

Using gpgme 1.0.2, I encrypt and sign some data; keys used for  
encryption are not trusted, and I don't want them to be trusted  
blindly. Here's the command issued by gpgme:

gpg --no-sk-comment --status-fd 26 --no-tty --charset utf8 --enable- 
progress-filter --command-fd 27 --encrypt --sign --armor -r  
SOME_UNTRUSTED_KEY_ID -r MY_KEY_ID -u MY_KEY_ID --output - --

If I perform the operation on the command line, here's what's happening:
$ gpg --no-sk-comment --status-fd 1 --no-tty --charset utf8 --enable- 
progress-filter --command-fd 0 --encrypt --sign --armor -r  
SOME_UNTRUSTED_KEY_ID -r A5BAB3D84F6CAE038B2276F25467B616992020D4 -u  
5467B616992020D4 --output - --
[GNUPG:] USERID_HINT 5467B616992020D4 Stéphane Corthésy (Sen:te)  
<stephane at sente.ch>
[GNUPG:] NEED_PASSPHRASE 5467B616992020D4 5467B616992020D4 17 0
[GNUPG:] GET_HIDDEN passphrase.enter
XXX
[GNUPG:] GOT_IT
[GNUPG:] GOOD_PASSPHRASE
gpg: XXXXXXXX: There is no assurance this key belongs to the named user
[GNUPG:] GET_BOOL untrusted_key.override

Process is then blocked, because it expects a 'true' or 'false' reply  
to the last question.

I hope it's been fixed in gpg 1.4.2/gpgme 1.1 (when will they be  
released?), as it prevents the use of gpgme with the 'trust all keys'  
option.

Cheers,

Stéphane

P.-S.
$ gpg --version
gpg (GnuPG) 1.4.1
Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDA4P3VGe2FpkgINQRAhPbAJ4uj/u6HuBl6e5NN/mheh2LLmVbIwCgihB/
yiGEncybm0NA3Bh+I9ipyjg=
=59lw
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list