python-gnupg uses "gpg --with-fingerprint --with-colons FILENAME" -- is this supported?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 4 20:41:41 CEST 2016 

Hi GnuPG folks,

in the python-gnupg module maintained by Vinay Sajip (cc'ed here), it
tries to scan a file containing keys by using the following command
line:

   gpg --with-fingerprint --with-colons FILENAME

https://bitbucket.org/vinay.sajip/python-gnupg/src/13e347b44785dd0ace0e9101b8940466b271fc08/gnupg.py?at=default#gnupg.py-1198


        """
        List details of an ascii armored or binary key file
        without first importing it to the local keyring.

        The function achieves this by running:
        $ gpg --with-fingerprint --with-colons filename
        """


Is this a supported use case?  This appears to be using no explicit
command, which means it's taking advantage of the following section in
gpg(1):

       gpg  may  be run with no commands, in which case it will perform a rea‐
       sonable action depending on the type of file it is given as  input  (an
       encrypted  message  is  decrypted, a signature is verified, a file con‐
       taining keys is listed).

If the desired action is "a file containing keys is listed", maybe it
would make more sense to explicitly provide a command that does this?  I
don't see a way to make an explicit command for it -- it seems to be
handled inside the aListPackets: clause of switch(cmd) in main() in
g10/gpg.c, but it is distinct from --list-packets because
packet_list_mode is not set.

Making matters worse, the output of this non-command actually differs
between gpg 1.4 and 2.1, even when 1.4 is using --fixed-list-mode:

0 dkg at alice:/tmp/cdtemp.uaInIQ$ diff -u <(gpg1 --homedir $(pwd) --fixed-list-mode --with-colons dkg-test.asc ) <(gpg --homedir $(pwd) --with-colons dkg-test.asc )
--- /dev/fd/63	2016-10-04 14:27:05.473568896 -0400
+++ /dev/fd/62	2016-10-04 14:27:05.473568896 -0400
@@ -1,2 +1,3 @@
-pub:-:4096:1:CCD2ED94D21739E9:1180812858:1483512006::-:Daniel Kahn Gillmor <dkg at fifthhorseman.net>:
+pub:-:4096:1:CCD2ED94D21739E9:1180812858:1483512006::-:
+uid:::::::::Daniel Kahn Gillmor <dkg at fifthhorseman.net>:
 uid:::::::::Daniel Kahn Gillmor <dkg at debian.org>:
1 dkg at alice:/tmp/cdtemp.uaInIQ$

(the test file i used is attached if you want to try to replicate this)

I'm not sure of the proper way to approach this situation. is it:

 * a bug in --fixed-list-mode in 1.4?
 
 * a bug in the output of 2.1, since it is effectively an API break from
   previous versions?
 
 * an unsupported mode for programmatic use, since the behavior will
   vary depending on the contents of FILENAME (thus making it a bug that
   python-gnupg even tries to use this)?

 * something else?

Any thoughts or pointers welcome,

    --dkg

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dkg-test.asc
URL: </pipermail/attachments/20161004/e0408292/attachment-0001.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161004/e0408292/attachment-0001.sig>

More information about the Gnupg-devel mailing list