Inocrrect(?) verification exit code for revoked certificates

Joanna Rutkowska joanna at
Fri Feb 24 15:27:17 CET 2012


I've just discovered that gnupg --verify will happily return 0 exit code
for signature created with a REVOKED signature.

E.g. I have imported the old key revocation certificate, and
it's clear that gpg realizes the signing key was revoked, but still
returns 0:

[user at qubes kernel]$ gpg --verify linux-
gpg: Signature made Thu Apr 14 22:42:05 2011 CEST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key
<ftpadmin at>"
gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: Key was used to autosigning; autosigning server
was compromised.
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
Primary key fingerprint: C75D C40A 11D7 AF88 9981  ED5B C86B A06A 517D 0F0E
[user at qubes kernel]$ echo $?

Wile it seems to me that an error exit code should returned in this
case. After all a "good" signature made with a compromised key, should
not be considered as "good"...

This is especially important for build scripts that make use of gpg in
order to verify downloaded tarballs.

A similar issue is when we one tries to verify the signature using
untrusted key -- shouldn't gpg return an error exit code in this case as

Perhaps a special options might be introduced, such as
'--fail-when-revoked-key', and '--fail-when-untrusted-key' that would
add such behavior?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120224/b19d976b/attachment.pgp>

More information about the Gnupg-devel mailing list